Tag: token

Admin Token for AppRole in Hashicorp Vault

Posted on by Bian Xi Leave a Comment on Admin Token for AppRole in Hashicorp Vault

Admin Token for AppRole in Hashicorp Vault

As suggested, root token should not be used, and it should be revoked immediately after used.

Root token

Follow the steps in page below to create a new root token and revoke it after used.

Generate a new root token for Hashicorp Vault

Admin token

For example, SSH secret engine, following admin policy can be created

vault policy write ssh-admin-policy - << EOF
# SSH secret engine
path "ssh-client-signer/sign/*" {
  capabilities = ["create", "read", "update", "delete", "sudo", "list" ]
}

# Mount the AppRole auth method
path "sys/auth/approle" {
  capabilities = [ "create", "read", "update", "delete", "sudo" ]
}

# Configure the AppRole auth method
path "sys/auth/approle/*" {
  capabilities = [ "create", "read", "update", "delete" ]
}

# Create and manage roles
path "auth/approle/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Write ACL policies
path "sys/policies/acl/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

##### Add other requirement if required. For example
# Write test data
# Set the path to "secret/data/mysql/*" if you are running `kv-v2`
path "secret/mysql/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}
EOF

Then create token under this policy

vault token create -field token -policy=ssh-admin-policy

The using this token follow the steps in page below:

Signed SSH Certificates using Hashicorp Vault in Practice

  • Generate role_id and secret_id
  • Login using role_id and secret_id
  • Generate SSH policy token
  • Use SSH policy token to generate signed public key
  • Use the signed public key and private key to login to remote system

Renew token itself

To get renew token before expired, run following command

vault token renew

The expire time can be view using following command

vault token lookup

References

Tokens
AppRole Pull Authentication

Generate a new root token for Hashicorp Vault

Posted on by Bian Xi Leave a Comment on Generate a new root token for Hashicorp Vault

Generate a new root token for Hashicorp Vault

To generate a new root token without old token.

Steps

  • run shell in vault docker
$ docker exec -it vault sh
  • Unseal if haven't
$ vault operator unseal
  • Get Nonce and OTP
$ vault operator generate-root -init
Nonce         15565c79-cc9e-5e64b986-8506e7bd1918
...
OTP           mOXx7iVimjE6LXQ2Zna6NA==
...
  • Provide unseal key to retrieve Encoded Token

Note: Beware of last -.

echo $UNSEAL_KEY | vault operator generate-root -nonce=f67f4da3... -

Note: run vault operator generate-root only, will show nonce key.

The last person will get Encoded Token

Encoded Token    IxJpyqxn3YafOGhqhvP6cQ==
  • Get root token
vault operator generate-root \  -decode=IxJpyqxn3YafOGhqhvP6cQ== \  -otp=mOXx7iVimjE6LXQ2Zna6NA==

Revoke token

Note: The root token can be used to revoke itself.

Revoke a token and all the token's children:

$ vault token revoke 96ddf4bc-d217-f3ba-f9bd-017055595017Success! Revoked token (if it existed)

Revoke a token leaving the token's children:

$ vault token revoke -mode=orphan 96ddf4bc-d217-f3ba-f9bd-017055595017Success! Revoked token (if it existed)

Revoke a token by accessor:

$ vault token revoke -accessor 9793c9b3-e04a-46f3-e7b8-748d7da248daSuccess! Revoked token (if it existed)

References

Generate Root Tokens Using Unseal Keys
token revoke