Salt Minion Communication to Vault

481 views
Skip to first unread message

MrPepik

unread,
Jul 26, 2018, 4:09:52 PM7/26/18
to Salt-users
Hi Everyone,

I am testing using Vault with Saltstack and having a few questions, since there are very limited examples on how to setup the Vault Policies and Salt Master and Minion configurations.

So far I am able to pull data from my Vault secrets with no issues from the Salt Master and from a Minion on the same network as the Vault system.  But if I block the minion's IP from the Vault system or if the minion is on a remote network, I am not able to pull the data.  The minions have access to Salt but we don't want to them to have direct access to vault.

So this brings me to my first question, does the Minions need access to Vault server directly to pull secrets?

And second, is there a way to use the Master as a "proxy" to pull the data from Vault and pass to the Minion.  Either as an ext_pillar or pull the data into sdb somehow?  

The scenario is the salt-master and vault are each in secure networks, but port 8200 is allowed from the salt-master to the vault system.  The minions are setup in other networks that only have access to the salt-master via the minion ports.  No ssh or other access.  The salt-master has full access to the minions of course.

Thanks in advance and I appreciate any help.

MrPepik

Daniel Wallace

unread,
Jul 26, 2018, 4:10:36 PM7/26/18
to Salt-users
If you do not want the minion to pull the data down, you will need to use ext_pillar.

For ext_pillar the master pulls the data.

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/405189cb-b63b-455a-8796-45b44cb951e6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Joseph Hardeman

unread,
Jul 27, 2018, 9:03:11 AM7/27/18
to salt-...@googlegroups.com
Hi Daniel,

Thank you for the reply, I have tried to setup ext_pillar to use vault and I can pull data from vault with an sdb call from the master and from minions that can reach Vault.  But I get an error that the minion can not connect to Vault when trying from a Minion that can not reach the vault directly.

[root@minion-salt-test salt]# salt-call sdb.get 'sdb://myvault/secrets/user1?foo'
[ERROR   ] Failed to read secret! ConnectionError: ('Connection aborted.', error(111, 'Connection refused'))
Error running 'sdb.get': ('Connection aborted.', error(111, 'Connection refused'))

This leads me to believe that the Minion is trying to reach the Vault directly, shouldn't it be asking the master for the data on a salt-call?

Thanks again for any help or insight you can help with. 




You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/LSeRFLXdBdQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to salt-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/CAA2%2B9hDrGt2MC1rAy%3DMdVtcCiRnchhh1du8UO3gHNyNUPBsGsg%40mail.gmail.com.

Daniel Wallace

unread,
Jul 27, 2018, 9:15:37 AM7/27/18
to Salt-users
the point of sdb is to remove the need to store everything in pillar, and allow for the minion to reach out and get data as well.

So the minion asks the master for a token, then the minion uses that token to get data from sdb directly.

If a minion cannot talk to vault, then it cannot use the vault sdb.

To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/CAGnaCcsAiotE%2B3n-dwuGOVZ3OKRafoUVn0Fd6CJec1jcSvi7CA%40mail.gmail.com.

Joseph Hardeman

unread,
Jul 27, 2018, 3:12:59 PM7/27/18
to salt-...@googlegroups.com
Ah, that makes sense. 

And that is where my problem lies.  I am trying to figure out how to get the master to pull the data from vault and then provide that data to the customer without the minion having to talk to the ext_pillar directly.

I appreciate any suggestions on how to do this and I will keep testing things on my test env.





To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/CAA2%2B9hDV1RMzK_iNYLb4EjihDpCFPrGrRqTbhcMi54wg9HG_tA%40mail.gmail.com.

Daniel Wallace

unread,
Jul 27, 2018, 4:35:27 PM7/27/18
to Salt-users
you should use ext_pillar for this

Unlike sdb, ext_pillar is just an external source for pillar data, the master is the service that renders pillar data, so the minion never touches vault if you use the ext_pillar for vault.

And then the master just passes the data to the minion as pillar data.

To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/CAGnaCcu7irqnfmDYPGFLGRjwO%3DJgDs1bCWywKXA2pw%2Bb_%2BByHA%40mail.gmail.com.

Scott Cudney

unread,
Jul 27, 2018, 4:35:48 PM7/27/18
to salt-...@googlegroups.com
Joseph,

Your minions don't ALL need to have access to the Vault server, but one of them does.  As long as one of them can query Vault, you can configure your master to allow a set of nodes (or all nodes) to execute a specific method on the minion that has access to Vault.  Check out the X509 state for an example of how to do this.

Thank you!

Scott Cudney


 

To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/LSeRFLXdBdQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to salt-users+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/LSeRFLXdBdQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to salt-users+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/CAGnaCcu7irqnfmDYPGFLGRjwO%3DJgDs1bCWywKXA2pw%2Bb_%2BByHA%40mail.gmail.com.

Joseph Hardeman

unread,
Jul 27, 2018, 6:13:28 PM7/27/18
to salt-...@googlegroups.com
Hey Scott,

I will take a look at that process and see if I can get it to work.  I appreciate the pointer to go look at.

Thanks

Joseph

To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/LSeRFLXdBdQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to salt-users+...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/LSeRFLXdBdQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to salt-users+...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/LSeRFLXdBdQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to salt-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/CAKohVAM7Lwso_yX43uSQ6MJaBQLquK6rs%3DW2oH3nqmCOL2AfyQ%40mail.gmail.com.

Joseph Hardeman

unread,
Jul 27, 2018, 6:15:17 PM7/27/18
to salt-...@googlegroups.com
Daniel,

Thank you for reply.  This is exactly what I want to do, but I have not been able to get it work yet.  I am still plugging away and seeing what I can figure out.  :-)

Thanks,

Joseph

To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/CAA2%2B9hDKJNcMpcpPtYvALc%2Bf01_BBMezRGWxtVY37-MJcwLnjg%40mail.gmail.com.

Gary Camblin

unread,
Jun 6, 2019, 8:47:43 AM6/6/19
to Salt-users
Hi Joseph,

Did you ever manage to get this working? I'm in the same situation where only the master has network access to Vault.

I looked at the X509 state example from Scott, but I don't see an example of using another minion to access as a Vault proxyl.

Thanks
Gary

David Jeche

unread,
Jun 6, 2019, 9:54:23 AM6/6/19
to Salt-users
To get the x509 to work with the vault server is pretty hard. I have attempted this previously and there are major problems with general functionality. The best I could do was to generate a new module that they can be used by salt to call commands. 

It is basically an API and you can just write to API endpoints. Manage the returned data then proceed onward to write it to disk.  One of the major problems I had was checking whether a new certificate is required. It does not look very nice but at best it worked. The only issue is that it will not be integrated with the main salt stack x509 module. It will be separate but maybe that would be the best option since the x509 module in saltstack until it is more mature. 


# -*- coding: utf-8 -*-
from __future__ import absolute_import
import salt

import logging

log = logging.getLogger(__name__)


def write_certs(vault_response, name, output):
    ##create outpath if not exists


    f = open(output + name + "cert.pem", "w")
    f.write(str(vault_response['certificate']))
    f.close 
    f = open(output + name + ".ca.pem", "w")
    f.write(str(vault_response['issuing_ca']))
    f.close 
    f = open(output + name + "key.pem", "w")
    f.write(str(vault_response['private_key']))
    f.close 

def generate_cert(path, output, **kwargs):
    log.debug('Writing vault secrets for %s at %s', __grains__['id'], path)
    print kwargs
    data = dict([(x, y) for x, y in kwargs.items() if not x.startswith('__')])
    try:
        url = 'v1/{0}'.format(path)
        response = __utils__['vault.make_request']('POST', url, json=data)
        if response.status_code == 200:
            write_certs(response.json()['data'], data['name'], output)
            return response.json()['data']
        elif response.status_code != 204:
            response.raise_for_status()
        return True
    except Exception as err:
        log.error('Failed to write secret! %s: %s', type(err).__name__, err)
        return response
Reply all
Reply to author
Forward
0 new messages