Achieving SecOps on Cloud using OpenSource Tools - Part2

Published on November 26, 2021

Vault installation using Docker:

  • Install the latest version of Docker on Ubuntu

sudo apt-get update # Update the apt package index
sudo apt-get install apt-transport-https ca-certificates curl software-properties-common # Install packages to allow apt to use a repository over HTTPS
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - # Add Docker’s official GPG key
sudo apt-get update # update the app index
sudo apt-get install docker-ce

  • Vault configuration file

vi -p path_to_vault/vault/config/local.json
{
“ui”:true,
“listener”: [{
“tcp”: {
“address”: “0.0.0.0:8200”,
“tls_disable” : 1
}
}],
“storage” :{
“file” : {
“path” : “/vault/data”
}
},
“max_lease_ttl”: “10h”,
“default_lease_ttl”: “10h”
}

# Run vault for development
sudo docker run –cap-add=IPC_LOCK -e ‘VAULT_DEV_ROOT_TOKEN_ID=myroot’ -e ‘VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:1234’ vault

# Run vault in server mode
sudo docker run -d -v path_to_vault/vault:/vault –cap-add IPC_LOCK -p 0.0.0.0:8200:8200 vault server

# Run vault without bind mount - Passing docker config via environment variable
sudo docker run -d –cap-add IPC_LOCK -p 0.0.0.0:8200:8200 -e ‘VAULT_LOCAL_CONFIG={ “ui”:true, “listener”: [{ “tcp”: { “address”: “0.0.0.0:8200”, “tls_disable” : 1 } }], “storage” :{ “file” : { “path” : “/vault/data” } }, “max_lease_ttl”: “10h”, “default_lease_ttl”: “10h” }’ vault server

ref: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

  • Within the Container

sudo docker exec -it containerid sh
export VAULT_ADDR=’http://127.0.0.1:8200’
vault init
vault status
# Unseal vault with any three of the five tokens generated
vault unseal unsealed_token
vault unseal unsealed_token
vault unseal unsealed_token

# Login to vault
vault login root-auth-token
vault auth list
vault policy list
vault secrets list

#Enable audit logs - Access Detection
vault audit enable file file_path=/vault/vault_audit.log

# Seal vault if system is compromised - Break Glass Procedure
vault seal

  • Playing with Vault CLI (Vault adhocs)

# Secrets Engine
vault write secret/mysql_database_credentials username=user1 password=userpasssword888
vault read secret/mysql_database_credentials
vault read -format=json secret/mysql_database_credentials
vault kv put secret/hello foo=world1
vault kv get secret/hello
vault kv delete secret/hello

# Writing data
vault kv put secret/password value=itsasecret

# STDIN
# JSON Object
echo -n ‘{“value”:”itsasecret”}’ | vault kv put secret/password -
# Read value directly from STDIN
echo -n “itsasecret” | vault kv put secret/password value=-

# Files
vault kv put secret/password @data.json
vault kv put secret/password value=@data.txt

# Reading Data
vault kv get secret/password

# Get specific version
vault kv get -version=2 secret/password

# Move secrets to a new path
vault secrets move secret/ hello/

# Create new secret path
vault secrets enable -path=newkv kv

# Operation on the new secret path
vault kv put newkv/my-secret my-value=s3cr3t
vault kv get newkv/my-secret
vault kv list newkv/
vault kv delete newkv/my-secret
vault secrets disable newkv

# List the paths under secret
vault kv list secret

# More use cases
vault kv put secret/my-secret my-value=s3cr3t
vault kv get secret/my-secret
vault kv get -version=1 secret/my-secret
vault kv delete secret/my-secret
vault kv undelete -versions=2 secret/my-secret

# Cubbyhole Secrets Engine
vault write cubbyhole/my-secret my-value=s3cr3t
vault read cubbyhole/my-secret

# Token Creation
vault token create

# Can set max usage and time limit in seconds
vault token create –use-limit=10 –ttl=30

# Transit Secrets Engine
vault secrets enable transit

# Create a named key
vault write -f transit/keys/my-key

# Pass the secret to be encrypted to transit with the named key end point
echo -n “my secret data” | base64 | vault write transit/encrypt/my-key plaintext=-

# To decrypt the ciphertext with the named key end point
vault write transit/decrypt/my-key ciphertext=vault:v1:W4nyf2UmzhxnhPy0b8pAPDEemp3mxviAbKJx8mC3RiGrKWVEHbHH2wPS | echo “bXkgc2VjcmV0IGRhdGE=” | base64 -d

  • Enable AWS backend for Vault

vault secrets enable -path=aws aws
vault write aws/config/root \
access_key=AKIAI4SGLQPBX6CSENIQ \
secret_key=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

  • Creating a template for the role on AWS
  • Role declaration

vault write aws/roles/my-role policy=-«EOF
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Stmt1426528957000”,
“Effect”: “Allow”,
“Action”: [
“ec2:”
],
“Resource”: [
“”
]
}
]
}
EOF

vault read aws/creds/my-role
vault lease revoke aws/creds/my-role/0bce0782-32aa-25ec-f61d-c026ff22106

  • Setting up postgres container

sudo docker run –name mypostgres1 -e POSTGRES_PASSWORD=mysecretpassword -d -p 0.0.0.0:5432:5432 postgres

psql -h localhost -p 5432 -U postgres -W

create database mydb

  • Dynamic database credentials using vault
  • Dynamic database credentials

vault secrets enable database
vault write database/config/mydb \
plugin_name=postgresql-database-plugin \
allowed_roles=”readonly” \
connection_url=”postgresql://postgres:mysecretpassword@172.27.14.125:5432/mydb?sslmode=disable”

vault write database/roles/readonly db_name=mydb creation_statements=”CREATE ROLE \”\” WITH LOGIN PASSWORD ‘’ VALID UNTIL ‘’; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \”\”; GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO \”\”;” \
default_ttl=1h max_ttl=24h

vault read database/creds/readonly
psql -h localhost -p 5432 -U temprole -d mydb -W

  • Passing secrets while building docker image

vault write secret/foo username=user1
curl \
-H “X-Vault-Token: 55wNSYUTJDQoezXZzj8tgzch” \
-X GET \
http://127.0.0.1:8200/v1/secret/foo

Vault HA and scalability

-> Vault supports multiple database backends like mysql, postgres, s3, etc. (For more info: https://www.vaultproject.io/docs/configuration/storage/index.html)

-> To increase the scalability of Vault with Consul, you should generally scale Consul instead of Vault

Enterprise vault:

  • Namespaces are supported
  • DR replication (failover vault clusters from one datacenter to another with limited time)
  • AWS KMS
  • Performance Standby Nodes
  • MFA when accessing secret/secret path
  • Mount Filters

Comparison with other vault

  • Ansible vault
  • Docker Secrets
  • AWS Secret Manager
  • Azure Key Vault

Ready to get started?

You’re one step closer to optimize your IT operations in the cloud.

Book your free consulation call