Vault

Accessing secrets from Hashicorp Vault

realworlditComments Off on Accessing secrets from Hashicorp Vault

Vault is an identity-based secrets and encryption management system. A secret is anything that you want to tightly control access to, such as API encryption keys, passwords, or certificates. Vault provides encryption services that are gated by authentication and authorization methods. 

I’m assuming you already have a Vault setup, maybe by another department. So I’m not going to cover that just how to get your secret out of Vault.

To access a Vault you need to set some variables:-

  • You will need the address of the Vault itself. This will be a web address,
  • the Namespace (if you don’t know what a namespace is, there is an explanation below this list),
  • A Vault token to access the Vault.

What is a Namespace

Namespaces are isolated environments that functionally exist as “Vaults within a Vault.” They have separate login paths and support creating and managing data isolated to their namespace. This data includes the following: Secret Engines. Auth Methods. ACL, EGP, and RGP Policies.

What to do

Set these variables below

Linux

export VAULT_ADDR=https://vault.company.com
export VAULT_NAMESPACE=nonprod/namespace
export VAULT_TOKEN=$(vault login -method ldap -token-only username=$username password=$password)

Windows

$Env:VAULT_ADDR="https://vault.company.com"
$Env:VAULT_NAMESPACE="nonprod/namespace"
$Env:VAULT_TOKEN=$(./vault login -method ldap -token-only username=$username password=$password)

Both Linux and Windows are setting environmental variables. This is what Hashicorp vault will look for, VAULT_ADDR, VAULT_NAMESPACE, and VAULT_TOKEN. The first two lines just set the URL of the Vault where you have the secret in and the Namespace to authenticate against it. The Vault token runs a Vault login using the LDAP method to return the token to use for further access to the Vault. Note, there is a username and password which are other variables. These can be set to environmental variables, but not the best from a security POV.

Linux

You can add the following snippet to your bashrc to simplify logging into Vault.

function vault_login_nonprod() {
export VAULT_NAMESPACE=nonprod/namespace
export VAULT_ADDR=https://vaultnp.company.com
export VAULT_TOKEN=$(vault login -method ldap -token-only username=$yourusername password=$yourpassword)
}

function vault_login_prod() {
export VAULT_NAMESPACE=prod/namespace
export VAULT_ADDR=https://vault.company.com
export VAULT_TOKEN=$(vault login -method ldap -token-only username=$yourusername password=$yourpassword)
}

Windows

Add the following snippet to your PowerShell profile

function vault_login_nonprod {
export VAULT_NAMESPACE="nonprod/namespace"
export VAULT_ADDR="https://vaultnp.company.com"
export VAULT_TOKEN=$(vault login -method ldap -token-only username=$yourusername password=$yourpassword)
}

function vault_login_prod {
$Env:VAULT_NAMESPACE="prod/namespace"
$Env:VAULT_ADDR="https://vault.company.com"
$Env:VAULT_TOKEN=$(vault login -method ldap -token-only username=$yourusername password=$yourpassword)
}

Context:-

To give the example below some context. Imagine you have a Vault with a root namespace of “project101“.

In the project Namespace there is a Key/Value secret engine called “projectkv“.

In here there is a secret called “packageapp” and inside is a secret with the key = “pacpassword” and the value = “password123“.

VAULT
Namespace  | Key-Value engine | secret     | secret key  | secret value
project101 | projectkv        | packageapp | pacpassword | password123

PATH TO SECRET
project101/projectkv/packageapp  password123

Using Bash or PowerShell to access the value type:-

vault kv get projectkv/packageapp

this will display the value “password123

If there was more than one Key/Value pair in the secret and you only wanted to get one of the values. Say for example we added “pacusername” and the value “admin” to the secret. To get the value of both you could do the same as the above command.

vault kv get projectkv/packageapp

This will display the values “password123” and “admin

To get just the pacusername value you would.

vault kv get -field=pacusername projectkv/packageapp
vault kv get -field=pacpassword projectkv/packageapp

TO OUTPUT AS JSON
vault kv get -format json -field=pacpassword projectkv/packageapp

Thats it, job done!

realworldit

Related Articles
AWS PowerShell Terraform Vault

Hashicorp Vault AWS auth backend role Terraform example, then access secret from the userdata instance.

realworldit

AWS auth role in Vault is specifically designed for applications running on Amazon Web Services (AWS) infrastructure. It leverages AWS IAM roles to authenticate and authorize applications to access secrets in Vault. The key components of the AWS auth role are: