Tag: admin

Admin Token for AppRole in Hashicorp Vault

Admin Token for AppRole in Hashicorp Vault

As suggested, root token should not be used, and it should be revoked immediately after used.

Root token

Follow the steps in page below to create a new root token and revoke it after used.

Generate a new root token for Hashicorp Vault

Admin token

For example, SSH secret engine, following admin policy can be created

vault policy write ssh-admin-policy - << EOF
# SSH secret engine
path "ssh-client-signer/sign/*" {
  capabilities = ["create", "read", "update", "delete", "sudo", "list" ]
}

# Mount the AppRole auth method
path "sys/auth/approle" {
  capabilities = [ "create", "read", "update", "delete", "sudo" ]
}

# Configure the AppRole auth method
path "sys/auth/approle/*" {
  capabilities = [ "create", "read", "update", "delete" ]
}

# Create and manage roles
path "auth/approle/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Write ACL policies
path "sys/policies/acl/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

##### Add other requirement if required. For example
# Write test data
# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
path "secret/mysql/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}
EOF

Then create token under this policy

vault token create -field token -policy=ssh-admin-policy

The using this token follow the steps in page below:

Signed SSH Certificates using Hashicorp Vault in Practice

  • Generate role_id and secret_id
  • Login using role_id and secret_id
  • Generate SSH policy token
  • Use SSH policy token to generate signed public key
  • Use the signed public key and private key to login to remote system

Renew token itself

To get renew token before expired, run following command

vault token renew

The expire time can be view using following command

vault token lookup

References

Tokens
AppRole Pull Authentication