guide to setup production ready vault

1,415 views
Skip to first unread message

Gary Wright

unread,
May 8, 2015, 5:17:43 PM5/8/15
to vault...@googlegroups.com
Hello,

I am very excited to get started with vault and would love to get a better understanding of deploying in a production ready manner.  At the moment I am trying to setup a barebones configuration and was wondering if I could maybe request some assistance?  At the moment I am wanting to configure a vault with file storage, API ID for authentication, ACL for specifying APP ID secret access.

At the moment I have followed through the guide, and have been able to successfully configure a server configuration HCL:

backend "file" {
  path = "/root/vaultsecrets"
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_cert_file = "/root/server.crt"
  tls_key_file = "/root/server.key"
}

* note this is a docker container I am currently working within.

I have also performed an init, generated the keys and unsealed with the default of 3 of the unlock shard keys.


At this point I am unsure how exactly to proceed in order to configure APP IDs, how to configure ACL for them and finally how to create secrets which are accessible for them.

The documentation seems complete on the site, however without an concise ordering, it is pretty unclear to me what needs to happen first.

If someone could provide end to end configuration of a vault, app id, acl and secret interaction, that would be awesome!

Armon Dadgar

unread,
May 11, 2015, 4:03:32 PM5/11/15
to vault...@googlegroups.com, Gary Wright
Hey Gary,

I agree it would be useful for us to put together a bit more of a sequential getting started guide.

In the mean time, based on where you are:

You will need to enable the AppID backend and configure it. This is not enabled by default.
The guide at the bottom of the page should help.

2) Next you should define a set of policies based on roles (e.g. what does the web server
have access to, what do operators have access to, etc). There is more info here:

3) Lastly, reading and writing secrets depends on the type of secret backend used.
The “generic” backend is the simplest, and there is a guide on it here:

Hope that helps!

Best Regards,
Armon Dadgar
--
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To post to this group, send email to vault...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/084e5783-ad4b-4fe1-9102-35ee52e7724d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Gary Wright

unread,
May 12, 2015, 12:00:37 PM5/12/15
to vault...@googlegroups.com, 00000zeros...@gmail.com
Hello Armon,

Thanks much for the guide and I will try to work through the steps and try again.  By the way, I had read on an issue on github, that a front end (simple at the moment) was potentially going to be available soon.  Any ETA on an admin panel?

regards,
Gary


On Monday, May 11, 2015 at 1:03:32 PM UTC-7, Armon Dadgar wrote:
Hey Gary,

I agree it would be useful for us to put together a bit more of a sequential getting started guide.

In the mean time, based on where you are:

You will need to enable the AppID backend and configure it. This is not enabled by default.
The guide at the bottom of the page should help.

2) Next you should define a set of policies based on roles (e.g. what does the web server
have access to, what do operators have access to, etc). There is more info here:

3) Lastly, reading and writing secrets depends on the type of secret backend used.
The “generic” backend is the simplest, and there is a guide on it here:

Hope that helps!

Best Regards,
Armon Dadgar

Armon Dadgar

unread,
May 12, 2015, 12:48:01 PM5/12/15
to vault...@googlegroups.com, Gary Wright, 00000zeros...@gmail.com
Hey Gary,

We had a simple one working, but it wasn’t where we wanted it to be for public release.
It’s on the roadmap, but there is no definite timeline.

Best Regards,
Armon Dadgar

From: Gary Wright <00000zeros...@gmail.com>
Reply: Gary Wright <00000zeros...@gmail.com>>

Misha Manulis

unread,
May 12, 2015, 2:23:23 PM5/12/15
to vault...@googlegroups.com, 00000zeros...@gmail.com
Hi Armon,

I'd be interested in working on the front-end.  Is there a branch available with the code you have so far?  If not, is the team partial to a specific approach / tech stack?

Misha


On Tuesday, May 12, 2015 at 9:48:01 AM UTC-7, Armon Dadgar wrote:
Hey Gary,

We had a simple one working, but it wasn’t where we wanted it to be for public release.
It’s on the roadmap, but there is no definite timeline.

Best Regards,
Armon Dadgar

Armon Dadgar

unread,
May 12, 2015, 3:02:48 PM5/12/15
to vault...@googlegroups.com, Misha Manulis, 00000zeros...@gmail.com, Jack Pearkes
Hey Misha,

I don’t believe the branch is public. We typically build them as a single page JS app (Ember).
Take a look at Consul for an example. If you are interested, cc @pearkes on GitHub, Twitter, or IRC
for more pointers!

Best Regards,
Armon Dadgar
Message has been deleted

Gary Wright

unread,
May 12, 2015, 7:45:08 PM5/12/15
to vault...@googlegroups.com, 00000zeros...@gmail.com
Hello Armon,

I have made it quite a bit farther and have enabled app-id auth, created a new app-id / user-id combo and assigned them to a policy.  I am now a bit confused how the login endpoint works with the API to actually provide the app-id/user-id and obtain a token.

Currently if I perform a blank HTTP POST to:


I am getting the following back:

{
lease_id""
renewablefalse
lease_duration0
datanull
auth
{
client_token"0c9665ee-fa71-0575-7ea7-f89a7b62dad8"
policies
[
0]
metadata
{
app-id"sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709"
user-id"sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709"
}
-
lease_duration2592000
renewablefalse
}
-
}



If I attempt to post with the k/v app_id and user_id, I receive the following:

{
errors
[
1]
0:  "invalid character 'a' looking for beginning of value"
-
}


Any pointers on how this HTTP verb is to be formed in order to properly authenticate?

Regards,
Gary

On Monday, May 11, 2015 at 1:03:32 PM UTC-7, Armon Dadgar wrote:
Hey Gary,

I agree it would be useful for us to put together a bit more of a sequential getting started guide.

In the mean time, based on where you are:

You will need to enable the AppID backend and configure it. This is not enabled by default.
The guide at the bottom of the page should help.

2) Next you should define a set of policies based on roles (e.g. what does the web server
have access to, what do operators have access to, etc). There is more info here:

3) Lastly, reading and writing secrets depends on the type of secret backend used.
The “generic” backend is the simplest, and there is a guide on it here:

Hope that helps!

Best Regards,
Armon Dadgar
From: Gary Wright <00000zero...@gmail.com>
Reply: Gary Wright <00000zero...@gmail.com>>

Armon Dadgar

unread,
May 13, 2015, 5:39:46 PM5/13/15
to vault...@googlegroups.com, Gary Wright, 00000zeros...@gmail.com
Hey Gary,

After you hit the login endpoint, you get that “client_token” back. That token is then used
for future requests. (Provided as a cookie or X-Vault-Token header I belive, double check the docs).

Similar to a website, you must “login” first, and then the cookie is passed on every request
to indicate that you are logged in.

Hope that helps!

Best Regards,
Armon Dadgar

From: Gary Wright <00000zeros...@gmail.com>
Reply: Gary Wright <00000zeros...@gmail.com>>
Message has been deleted

Al Mayer

unread,
May 14, 2015, 5:04:31 PM5/14/15
to vault...@googlegroups.com
Gary,

I get that error (using curl to post data) if I forget to protect my JSON data from the shell.

i.e.,   curl -XPOST http://URL/v1/auth/app-id/login -d {"app_id":"foo", "user_id":"bar"}

will return a similar error, but works fine if you surround the data with single quotes:

i.e.,   curl -XPOST http://URL/v1/auth/app-id/login -d '{"app_id":"foo", "user_id":"bar"}'

That returns me a token (and other stuff).

Alas, the token doesn't seem to work for me (see other post).

Cheers,
-Al

On Tuesday, May 12, 2015 at 5:45:08 PM UTC-6, Gary Wright wrote:
 [.. snip ..]
 
If I attempt to post with the k/v app_id and user_id, I receive the following:

{
errors
[
1]
0:  "invalid character 'a' looking for beginning of value"
-
}


[.. snip ..]
Reply all
Reply to author
Forward
0 new messages