possibly as user
root_token="unsafe-root-token" vault server -dev -dev-root-token-id $root_token export VAULT_ADDR=http://localhost:8200 vault login vault status vault secrets list
you can now reach http://localhost:8200/ui/vault/dashboard and add secrets
let’s create two pathes within the default secret engine, for testing
# policy will apply here
devops/ansible-secrets/fluentbit
log_http_user / TEST LOGIN
log_http_passwd / TEST PASSWORD
# policy won't apply here
devops/another
http_user / SOMETHING IS WRONG
prepare a policy e.g. as follows
– note this is V2 hence data/ in da place
vi ansible-secrets.hcl
path "secret/data/devops/ansible-secrets" {
capabilities = ["read", "list"]
}
apply
vault policy write ansible-secrets ansible-secrets.hcl
create a specific token against that given policy
vault token create -policy=ansible-secrets -orphan
login with it
vault login
and you should be able to read only devops/ansible-secrets/*, not devops/another nor devops/ansible-secrets itself
vault kv get -mount=secret -format=json devops/ansible-secrets/fluentbit ==> OK vault kv get -mount=secret -format=json devops/ansible-secrets ==> 403 vault kv get -mount=secret -format=json devops/another ==> 403
that’s not enough tho, as tokens are ephemeral (but the root token) – you might need a permanent authentication method for e.g. ansible runners
first, check default ttls
vault read sys/auth/approle/tune ==> default_lease_ttl ==> max_lease_ttl
so if you have strick defaults, stick to those e.g.
ttl=30m max=30m
otherwise go relaxed e.g.
ttl=1h max=4h
and configure that approle to be able to create batch tokens accordingly
vault auth enable approle
vault write auth/approle/role/ansible \
token_type=batch \
token_ttl=$ttl \
token_max_ttl=$max \
secret_id_ttl=0 \
secret_id_num_uses=0 \
token_policies=ansible-secrets
check
vault read auth/approle/role/ansible
now here’s your role id
vault read auth/approle/role/ansible/role-id
and here’s how to generate secret ids
vault write -f auth/approle/role/ansible/secret-id
check auth works that way and you can grab a token from the role
role_id=...
secret_id=...
cat <<EOF | curl -fsS -X POST $VAULT_ADDR/v1/auth/approle/login -d@- | jq -r '.auth.client_token'
{
"role_id": "$role_id",
"secret_id": "$secret_id"
}
EOF
and eventually repeat the test from above using that token
when you’re playing with an existing and production vault, you can grab a token from the UI
Tools / API Explorer sys/health Execute
and then proceed as such
export VAULT_ADDR=https://... vault login
https://developer.hashicorp.com/vault/tutorials/get-started/setup
https://developer.hashicorp.com/vault/docs/concepts/policies
https://developer.hashicorp.com/vault/docs/commands/token/create
https://developer.hashicorp.com/vault/docs/secrets/kv
https://stackoverflow.com/questions/66793510/vault-hashicorp-add-new-policy-to-existing-users-tokens
https://mattias.engineer/courses/vault/hello-world/ ==> nice
https://developer.hashicorp.com/vault/tutorials/get-started/learn-cli ==> vault token create from cli
https://discuss.hashicorp.com/t/how-to-generate-and-renew-vault-token-inside-docker-container/69432/2 ==> k8s auth renew token