Vault Quickstart: Difference between revisions

From Computer Science Wiki
Jump to navigation Jump to search
Carnold (talk | contribs)
No edit summary
Carnold (talk | contribs)
Line 84: Line 84:
Some of the advantages of using a service like CS vault to store your secrets:
Some of the advantages of using a service like CS vault to store your secrets:
* Easier to use stronger more complex passwords that do not have to be stored in plain text
* Easier to use stronger more complex passwords that do not have to be stored in plain text
* Ability to securely share password
* Ability to securely share secrets with a group of users
* Store all your secrets in one location
* Store all your secrets in one location
* If you secrets are stored in one location and accessed dynamically, then you can quickly and easily rotate the secrets for improved security
* If you secrets are stored in one location and accessed dynamically, then you can quickly and easily rotate the secrets for improved security
* Once properly set up, you can revoke access to secrets from Apps or clients that may be compromised
* Once properly set up, you can revoke access to secrets from Apps or clients that may be compromised
* Vault provides an audit trail of exactly who has accessed which secrets
* Vault provides an audit trail of exactly who has accessed which secrets

Revision as of 13:28, 6 February 2023

CS Vault Quickstart Guide

This guide will give you an introduction to using the Computer Science vault. We will show you how to do things both in the web interface and through command line access.

Introduction

The CS vault is a secrets store based on Hashicorp Vault https://www.vaultproject.io/ It allows you to securely store secrets such as passwords, certificates, and private keys. The data is stored encrypted and transmitted encrypted. It is all API driven, so can be integrated easily into your applications.

Authentication

All access to the CS vault is made through temporary tokens. Generally you do not personally use a token to log into the service unless you are directly access the API. Either the vault agent command line or the web interface will manage the temporary tokens for you once you log in with another method.

  • We offer multiple authentication methods
  • Each method logs in you into a separate identity that will have separate access levels even if the username is the same. For example, "carnold" logged in through CAS is not the same as "carnold" logged into through LDAP.

CAS

Using CAS login is the easiest way to log into the CS vault website https://vault.enterprise.cs.vt.edu

  • Select cas tab from the login screen
  • Click on "Sign in with OIDC Provider" and another window will open with CS CAS Login if needed.
  • CAS login can be used with command line interface as well
    • vault login -method=cas
    • It will give a URL that you need to open in a browser to finish the login

LDAP

You can use traditional CS username/password to log into CS Vault through the web interface or the command line interface.

  • LDAP is best suited for command line interface
  • Vault policies can be applied to your LDAP login based on your LDAP group memberships -- for example a shared group secrets path

AppRole

We also provide Vault's AppRole authentication. Find out more about AppRole: https://developer.hashicorp.com/vault/docs/auth/approle

  • This method is meant as a systematic way for applications to access the vault API
  • Techstaff will have to create a unique AppRole login for each of your applications and apply policies based on your specific needs.
  • We recommend you use vault agent to manage your App's access to vault, this will greatly reduce the complexity of your application. See: https://developer.hashicorp.com/vault/docs/agent

Web Interface

Using the CS Vault web interface is the quickest and easiest way to get started using CS Vault.

Command Line Interface

Vault offers a command line interface. You will need to download a binary for your system to run it.

export VAULT_ADDR=https://vault.enterprise.cs.vt.edu
vault login -method-ldap username=carnold
vault list personal/carnold

Example: Personal Vault

The CS vault by default will give your CAS and LDAP logins access to a personal secrets path at /personal/<username> You can store any Key/Value items in this personal vault.

From Web Interface

  • Click on the Secrets tab at the top
  • Click on personal from the secrets list
  • Click on Create secret to create a new secret
  • Fill in Path for this secret with <username>/<my-secret-name> Example: carnold/printers
  • Fill in Secret data with any number of key = value pairs you want. The key is displayed in clear text and the value is kept secret.
  • Click on Save

From Command Line

This example assumes you have already installed the vault binary and logged into the CS vault with your personal account.

  • Create from json:
vault kv put personal/carnold/printers - <<EOF
{
  "username": "myuser",
  "password": "supersecret"
}
EOF
  • List keys for a path:

vault kv list personal/carnold

  • Display all values in a secret:

vault kv get personal/carnold/printers

Through API

Using the vault command is really just a wrapper for the accessing the vault API. You can access the API directly using a tool such as curl

  • The previous command can be run as a direct API call, for example:

curl s --header "X-Vault-Token: $(cat ~/.vault-token)" -X GET https://vault.enterprise.cs.vt.edu/v1/personal/carnold/printers | jq '.data'

Why Use Vault?

Some of the advantages of using a service like CS vault to store your secrets:

  • Easier to use stronger more complex passwords that do not have to be stored in plain text
  • Ability to securely share secrets with a group of users
  • Store all your secrets in one location
  • If you secrets are stored in one location and accessed dynamically, then you can quickly and easily rotate the secrets for improved security
  • Once properly set up, you can revoke access to secrets from Apps or clients that may be compromised
  • Vault provides an audit trail of exactly who has accessed which secrets