Customization with Vault Extensions
HashiCorp Vault is a powerful secrets management engine that enterprises adopt as their core secrets solution. Some customers need support and functionality beyond the default offering. For this, HashiCorp offers Vault Extensions to customize processes, systems, and emerging technologies. In this article I’ll cover Vault Extensions — what they are, why you would use them, and how they work.
Along with this article, we’re launching two new open source projects.
- vault-assistant: A utility that will provide a quick and easy way to install, configure, and run HashiCorp Vault.
- scalesec-secret-store: A Vault Extension that will help jumpstart an enterprise’s journey to customize Vault.
Why Vault Extensions?
Vault Extensions allow enterprises to extend Vault to work with new and emerging technologies or to integrate with their custom processes and systems. With this custom integration an enterprise can expand the value they receive from Vault instead of modifying their processes or changing their product stack to a line with the feature stack of Vault. This redirection can actually lower an enterprise’s value proposition by giving up the business value of their custom processes, tools, and sometimes application architecture.
Enterprises have many custom identity provisioning processes that are used to track ID creation and password rotation that may be part of their regulatory reporting and attestation processes. Recreating these could be very difficult or very costly. A custom Vault extension can allow them to benefit from Vault’s lifecycle management and storage capabilities as well their internal processing and tracking systems.
Investment by enterprises in popular databases like Oracle, MSSQL, PostgreSQL, and Mongo is great. There are new database technologies evolving that enterprises wish to use for money saving or niche features: Neo4j and Cockroach. There are also legacy databases that are very costly to migrate out of: IBM DB2, Sybase, and Informix. A custom Vault extension can allow them to interface with the databases.
When to Use Them
Vault offers extension frameworks that allow for new functionality through its plugin interface to be added without modifying Vault’s core code base. It allows for the creation of three types of extensions: Secret Engine, Authorization, and Database (1).
Secret Engine Extension: The Secret Engine plugin interface extension allows an enterprise to extend Vault’s Key/Value storage capabilities to interface with their custom or legacy stores. This could be an implementation of CyberArk or a proprietary solution. It also allows them to interface with emerging Key/Value secret stores like Azure Key Vault or AWS Secrets Manager.
Authorization Extension: The plugin interface for Authorization Extensions allows for custom interfaces to authorization engines like Okta and Auth0. This extension allows enterprises to use their current processes for identity provisioning that could be utilizing SailPoint or Active Directory.
Database Extension: The Database Extension plugin framework is what Vault uses to interface with databases (2). I prefer to call this Vault’s “Dynamic” secrets engine. It allows you to extend Vault to interface with authorization systems that support the dynamic ID life cycle. This is usually database engines but can be other sources as well.
Dynamic ID Life Cycle: In the dynamic ID life cycle Vault utilizes a master/root ID and password and a provided set of grant and revoke statements to manage the created ID. Vault uses the master ID and grant statements to create a new ID/password and grant the access for it. It also sets a time to live for the created ID. Vault uses the same master ID to revoke access and to delete the ID once the time to live has been reached.
This extension framework allows an enterprise to integrate with new or legacy database technologies: Neo4j, Cockroach, IBM DB2, or Sybase. This integration doesn’t have to be just for databases. An enterprise may have a legacy Active Directory system with AD Groups that they want to leverage for application permissions. This framework would allow them to create unique Active Directory IDs and grant access by adding to group(s). Once the time to live was reached it would remove the ID from the group(s) and then delete from Active Directory.
How They Work
Installing and Configuring Vault
The custom Vault plugin development journey starts with the installation and configuration of HashiCorp Vault (3). While Vault is a single binary, the configuration and running of Vault to support the development of plugins can be daunting (4). You will want to mirror a production environment as closely as possible instead of running Vault in development mode. Vault needs to be initialized for data storage and the plugin directory needs to be created and configured. Vault should run in a non development mode where it is sealed and unsealed. TCP Listener needs to be configured for proper plugin communications. There are a lot of configurations to be considered and some can be complex. ScaleSec makes this easy with its open source project: Vault Assistant.
Implementation:
- Clone or Download the code and run: vault-install.sh
- If you already have Vault installed and want to play with Vault Assistant, just run: vault-assistant-install.
If you wish to install and configure the vault manually. Vault is a single binary that you can download from the HashiCorp download site: https://www.vaultproject.io/downloads or run brew install commands.
Installing and Configuring A Custom Plugin
Writing a custom plugin is an endeavor that you only start once you understand how plugins work and behave in Vault. How do they receive data? What data do they need to return and what life cycle calls do you need to consider? For that reason, we will focus on how to build, deploy, and work with a custom plugin. We will dig into the actual plugin framework architecture in the future (5, 6).
HashiCorp offers secret engine and database (dynamic) engine frameworks for extending the capabilities of Vault or integrating with custom interfaces. We are going to start with a custom secret engine plugin. ScaleSec has created a learning project that you can use to understand the processes of building, deploying, configuring, and interacting with a custom plugin. Clone or download the scalesec-secret-store project from GitHub.
There are two .go files in the project:
plugin/main.go
- The main entry point and a very standard HashiCorp setup that describes the custom plugin for Vault.scalesecSecretStore.go
- Contains all the framework implementation code and logic.
The code needs to be built and deployed to Vault with the file make-scalesec-secret-store-plugin.sh
. Run this shell script and pass it the argument or arguments in sequence of what you want to do. For example: make-scalesec-secret-store-plugin.sh build deploy
will build the plugin and deploy it to Vault. The script supports the following arguments:
build
- Build the plugin for Mac and Linux amd64 architecturesdebug
- Build the plugin for debug with Delvedeploy
- Deploy and register the plugin with HashiCorp Vaulttest
- Run all of the tests listed belowtest_write
- Perform a write function with Vault to invoke the write function in the plugintest_read
- Perform a read function with Vault to invoke the read function in the plugintest_delete
- Perform a delete function with Vault to invoke the delete function in the plugintest_list
- Perform a list function with Vault to invoke the list function in the plugin- (This code is for educational purposes and is not intended to be used in production as it stands)
As you perform the Vault functions, it will log out all the data coming into and out of the functions so you can see and learn how a custom plugin operates. The best way to see this is by using the ScaleSec “Vault Assistant”. Log information will show up in the terminal window it uses for displaying the menu. Keep in mind — it will log out any secret values you give it. Again, this is for educational purposes so this is intentional. Don’t give it real secrets.
Using the interactive Delve debugger in VSCode is an excellent way to learn and see what goes on in the plugin. This involves installing Delve and attaching to running processes and is a little more complicated for this discussion. Refer to the README.MD to learn how to work with the plugin and the interactive debugger.
Interested in maximizing your business’s full value proposition with Vault? Reach out to ScaleSec to learn how our certified Vault experts can help.
The information presented in this article is accurate as of 4/13/2022. Follow the ScaleSec blog for new articles and updates.
Notes:
- https://learn.hashicorp.com/tutorials/vault/plugin-backends
- https://www.vaultproject.io/docs/secrets/databases/custom
- https://learn.hashicorp.com/tutorials/vault/configure-vault
- https://www.vaultproject.io/docs/configuration
- https://github.com/hashicorp/vault-guides/tree/master/plugins
- https://learn.hashicorp.com/tutorials/vault/custom-secrets-engine-build
About ScaleSec
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.