使用 AppRole Authentication Method,訪問 Hashicorp Vault Server 機密性資源

AppRole Authentication Method 也是 Hashicorp Vault Server 所提供的驗證(Authentication) 之一,搭配 Policy 授權(Authorization),存取機敏性資料,使用上也是相當的簡單。

開發環境

  • Windows 11 Home
  • Windows Terminal 1.20.11781.0
  • Vault 1.17.6

建立 Vault Server 開發環境

vault server -dev

設定環境變數

$Env:VAULT_ADDR = "http://127.0.0.1:8200"

Vault CLI

啟用 Approle

PS C:\Users\yao> vault auth enable approle
Success! Enabled approle auth method at: approle/

 

設定 Policy

$policy = @"
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/job/dream-team/*" {
 capabilities = ["create", "update", "read"]
}
"@
$policy | Out-File -FilePath "my-policy.hcl" -Encoding utf8
vault policy write my-policy "my-policy.hcl"
PS C:\Users\yao> $policy = @"
>> # Dev servers have version 2 of KV secrets engine mounted by default, so will
>> # need these paths to grant permissions:
>> path "secret/data/job/dream-team/*" {
>>   capabilities = ["create", "update", "read"]
>> }
>> "@
PS C:\Users\yao>
PS C:\Users\yao> $policy | Out-File -FilePath "my-policy.hcl" -Encoding utf8
PS C:\Users\yao> vault policy write my-policy "my-policy.hcl"
Success! Uploaded policy: my-policy

 

設定 AppRole

vault write auth/approle/role/my-role `
secret_id_ttl=10m `
token_num_uses=10 `
token_ttl=20m `
token_max_ttl=30m `
secret_id_num_uses=40 `
token_policies=my-policy
PS C:\Users\yao> vault write auth/approle/role/my-role `
>> secret_id_ttl=10m `
>> token_num_uses=10 `
>> token_ttl=20m `
>> token_max_ttl=30m `
>> secret_id_num_uses=40 `
>> token_policies=my-policy
Success! Data written to: auth/approle/role/my-role

 

讀取 Role

PS C:\Users\yao> vault read auth/approle/role/my-role
Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
secret_id_bound_cidrs      <nil>
secret_id_num_uses         40
secret_id_ttl              10m
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              30m
token_no_default_policy    false
token_num_uses             10
token_period               0s
token_policies             [my-policy]
token_ttl                  20m
token_type                 default

 

取得 Role Id

PS C:\Users\yao> vault read auth/approle/role/my-role/role-id
Key        Value
---        -----
role_id    6af7a249-b577-6963-69ae-43374ddcd138

 

取得 Secret Id 

PS C:\Users\yao> vault write -f auth/approle/role/my-role/secret-id
Key                   Value
---                   -----
secret_id            1d611bbd-3a29-913b-4e05-a2236f583641
secret_id_accessor    7f94e4a8-cea9-f791-e00d-e0765626623f
secret_id_num_uses    40
secret_id_ttl         10m

這像是,approle 註冊一個 app,vault server 則回傳一組 id,以辨識這個 app。

 

取得 Token

$Env:ROLE_ID="6af7a249-b577-6963-69ae-43374ddcd138"; `
$Env:SECRET_ID="1d611bbd-3a29-913b-4e05-a2236f583641"; `
vault write auth/approle/login `
    role_id=$Env:ROLE_ID `
    secret_id=$Env:SECRET_ID
PS C:\Users\yao> $Env:ROLE_ID="6af7a249-b577-6963-69ae-43374ddcd138"; `
>> $Env:SECRET_ID="1d611bbd-3a29-913b-4e05-a2236f583641"; `
>> vault write auth/approle/login `
>>     role_id=$Env:ROLE_ID `
>>     secret_id=$Env:SECRET_ID
Key                     Value
---                     -----
token                  hvs.CAESIBbIf5_yfPUD8IK3wxmV7IjsjlUMW_HepjBQTTQpryVCGh4KHGh2cy5TMmswTnNYY3I5V2l3a00wTXJQUTB2VnI
token_accessor          om8KLAoSyToSvkMnBYbzuEay
token_duration          20m
token_renewable         true
token_policies          ["default" "my-policy"]
identity_policies       []
policies                ["default" "my-policy"]
token_meta_role_name    my-role

 

登入

切換身分

PS C:\Users\yao> Vault login hvs.CAESIBbIf5_yfPUD8IK3wxmV7IjsjlUMW_HepjBQTTQpryVCGh4KHGh2cy5TMmswTnNYY3I5V2l3a00wTXJQUTB2VnI
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                     Value
---                     -----
token                  hvs.CAESIBbIf5_yfPUD8IK3wxmV7IjsjlUMW_HepjBQTTQpryVCGh4KHGh2cy5TMmswTnNYY3I5V2l3a00wTXJQUTB2VnI
token_accessor          om8KLAoSyToSvkMnBYbzuEay
token_duration          17m15s
token_renewable         true
token_policies          ["default" "my-policy"]
identity_policies       []
policies                ["default" "my-policy"]
token_meta_role_name    my-role

 

讀取 KV

PS C:\Users\yao> vault kv get -mount="secret" "job/dream-team/my-secret"
============ Secret Path ============
secret/data/job/dream-team/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       2024-10-10T03:22:24.5812039Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            5

====== Data ======
Key         Value
---         -----
User        admin
password    1234567890

 

心得

透過 AppRole Authentication Method 取得動態 Secret Id 和固定的 Role Id,最後,再用  Secret Id + Role Id 再去換 Token,這段的流程串接沒有甚麼大問題,這篇範例是透過 Root Token 取得 Secret Id、Role Id,實務上要記得使用非 Root Token 來操作,可以試著使用 vault token create 產生出來的 token,然後 vault login new_token 來使用

若有謬誤,煩請告知,新手發帖請多包涵


Microsoft MVP Award 2010~2017 C# 第四季
Microsoft MVP Award 2018~2022 .NET

Image result for microsoft+mvp+logo