Vault is an identity-based secrets and encryption management system. A secret is anything that you want to tightly control access to, such as API encryption keys, passwords, or certificates. Vault provides encryption services that are gated by authentication and authorization methods.
I’m assuming you already have a Vault setup, maybe by another department. So I’m not going to cover that just how to get your secret out of Vault.
To access a Vault you need to set some variables:-
- You will need the address of the Vault itself. This will be a web address,
- the Namespace (if you don’t know what a namespace is, there is an explanation below this list),
- A Vault token to access the Vault.
What is a Namespace
Namespaces are isolated environments that functionally exist as “Vaults within a Vault.” They have separate login paths and support creating and managing data isolated to their namespace. This data includes the following: Secret Engines. Auth Methods. ACL, EGP, and RGP Policies.
What to do
Set these variables below
Linux
export VAULT_ADDR=https://vault.company.com
export VAULT_NAMESPACE=nonprod/namespace
export VAULT_TOKEN=$(vault login -method ldap -token-only username=$username password=$password)
Windows
$Env:VAULT_ADDR="https://vault.company.com"
$Env:VAULT_NAMESPACE="nonprod/namespace"
$Env:VAULT_TOKEN=$(./vault login -method ldap -token-only username=$username password=$password)
Both Linux and Windows are setting environmental variables. This is what Hashicorp vault will look for, VAULT_ADDR, VAULT_NAMESPACE, and VAULT_TOKEN. The first two lines just set the URL of the Vault where you have the secret in and the Namespace to authenticate against it. The Vault token runs a Vault login using the LDAP method to return the token to use for further access to the Vault. Note, there is a username and password which are other variables. These can be set to environmental variables, but not the best from a security POV.
Linux
You can add the following snippet to your bashrc to simplify logging into Vault.
function vault_login_nonprod() {
export VAULT_NAMESPACE=nonprod/namespace
export VAULT_ADDR=https://vaultnp.company.com
export VAULT_TOKEN=$(vault login -method ldap -token-only username=$yourusername password=$yourpassword)
}function vault_login_prod() {
export VAULT_NAMESPACE=prod/namespace
export VAULT_ADDR=https://vault.company.com
export VAULT_TOKEN=$(vault login -method ldap -token-only username=$yourusername password=$yourpassword)
}
Windows
Add the following snippet to your PowerShell profile
function vault_login_nonprod {
export VAULT_NAMESPACE="nonprod/namespace"
export VAULT_ADDR="https://vaultnp.company.com"
export VAULT_TOKEN=$(vault login -method ldap -token-only username=$yourusername password=$yourpassword)
}
function vault_login_prod {
$Env:VAULT_NAMESPACE="prod/namespace"
$Env:VAULT_ADDR="https://vault.company.com"
$Env:VAULT_TOKEN=$(vault login -method ldap -token-only username=$yourusername password=$yourpassword)
}
Context:-
To give the example below some context. Imagine you have a Vault with a root namespace of “project101
“.
In the project Namespace there is a Key/Value secret engine called “projectkv
“.
In here there is a secret called “packageapp
” and inside is a secret with the key = “pacpassword
” and the value = “password123
“.
VAULT
Namespace | Key-Value engine | secret | secret key | secret value
project101 | projectkv | packageapp | pacpassword | password123
PATH TO SECRET
project101/projectkv/packageapp password123
Using Bash or PowerShell to access the value type:-
vault kv get projectkv/packageapp
this will display the value “password123
“
If there was more than one Key/Value pair in the secret and you only wanted to get one of the values. Say for example we added “pacusername
” and the value “admin
” to the secret. To get the value of both you could do the same as the above command.
vault kv get projectkv/packageapp
This will display the values “password123
” and “admin
“
To get just the pacusername
value you would.
vault kv get -field=pacusername projectkv/packageapp
vault kv get -field=pacpassword projectkv/packageapp
TO OUTPUT AS JSON
vault kv get -format json -field=pacpassword projectkv/packageapp
Thats it, job done!