AppRole Authentication Method 也是 Hashicorp Vault Server 所提供的驗證(Authentication) 之一,搭配 Policy 授權(Authorization),存取機敏性資料,使用上也是相當的簡單。
開發環境
- Windows 11 Home
- Windows Terminal 1.20.11781.0
- Vault 1.17.6
建立 Vault Server 開發環境
vault server -dev
設定環境變數
$Env:VAULT_ADDR = "http://127.0.0.1:8200"
Vault CLI
啟用 Approle
PS C:\Users\yao> vault auth enable approle
Success! Enabled approle auth method at: approle/
設定 Policy
$policy = @"
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/job/dream-team/*" {
capabilities = ["create", "update", "read"]
}
"@
$policy | Out-File -FilePath "my-policy.hcl" -Encoding utf8
vault policy write my-policy "my-policy.hcl"
PS C:\Users\yao> $policy = @"
>> # Dev servers have version 2 of KV secrets engine mounted by default, so will
>> # need these paths to grant permissions:
>> path "secret/data/job/dream-team/*" {
>> capabilities = ["create", "update", "read"]
>> }
>> "@
PS C:\Users\yao>
PS C:\Users\yao> $policy | Out-File -FilePath "my-policy.hcl" -Encoding utf8
PS C:\Users\yao> vault policy write my-policy "my-policy.hcl"
Success! Uploaded policy: my-policy
設定 AppRole
vault write auth/approle/role/my-role `
secret_id_ttl=10m `
token_num_uses=10 `
token_ttl=20m `
token_max_ttl=30m `
secret_id_num_uses=40 `
token_policies=my-policy
PS C:\Users\yao> vault write auth/approle/role/my-role `
>> secret_id_ttl=10m `
>> token_num_uses=10 `
>> token_ttl=20m `
>> token_max_ttl=30m `
>> secret_id_num_uses=40 `
>> token_policies=my-policy
Success! Data written to: auth/approle/role/my-role
讀取 Role
PS C:\Users\yao> vault read auth/approle/role/my-role
Key Value
--- -----
bind_secret_id true
local_secret_ids false
secret_id_bound_cidrs <nil>
secret_id_num_uses 40
secret_id_ttl 10m
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 30m
token_no_default_policy false
token_num_uses 10
token_period 0s
token_policies [my-policy]
token_ttl 20m
token_type default
取得 Role Id
PS C:\Users\yao> vault read auth/approle/role/my-role/role-id
Key Value
--- -----
role_id 6af7a249-b577-6963-69ae-43374ddcd138
取得 Secret Id
PS C:\Users\yao> vault write -f auth/approle/role/my-role/secret-id
Key Value
--- -----
secret_id 1d611bbd-3a29-913b-4e05-a2236f583641
secret_id_accessor 7f94e4a8-cea9-f791-e00d-e0765626623f
secret_id_num_uses 40
secret_id_ttl 10m
這像是,approle 註冊一個 app,vault server 則回傳一組 id,以辨識這個 app。
取得 Token
$Env:ROLE_ID="6af7a249-b577-6963-69ae-43374ddcd138"; `
$Env:SECRET_ID="1d611bbd-3a29-913b-4e05-a2236f583641"; `
vault write auth/approle/login `
role_id=$Env:ROLE_ID `
secret_id=$Env:SECRET_ID
PS C:\Users\yao> $Env:ROLE_ID="6af7a249-b577-6963-69ae-43374ddcd138"; `
>> $Env:SECRET_ID="1d611bbd-3a29-913b-4e05-a2236f583641"; `
>> vault write auth/approle/login `
>> role_id=$Env:ROLE_ID `
>> secret_id=$Env:SECRET_ID
Key Value
--- -----
token hvs.CAESIBbIf5_yfPUD8IK3wxmV7IjsjlUMW_HepjBQTTQpryVCGh4KHGh2cy5TMmswTnNYY3I5V2l3a00wTXJQUTB2VnI
token_accessor om8KLAoSyToSvkMnBYbzuEay
token_duration 20m
token_renewable true
token_policies ["default" "my-policy"]
identity_policies []
policies ["default" "my-policy"]
token_meta_role_name my-role
登入
切換身分
PS C:\Users\yao> Vault login hvs.CAESIBbIf5_yfPUD8IK3wxmV7IjsjlUMW_HepjBQTTQpryVCGh4KHGh2cy5TMmswTnNYY3I5V2l3a00wTXJQUTB2VnI
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.CAESIBbIf5_yfPUD8IK3wxmV7IjsjlUMW_HepjBQTTQpryVCGh4KHGh2cy5TMmswTnNYY3I5V2l3a00wTXJQUTB2VnI
token_accessor om8KLAoSyToSvkMnBYbzuEay
token_duration 17m15s
token_renewable true
token_policies ["default" "my-policy"]
identity_policies []
policies ["default" "my-policy"]
token_meta_role_name my-role
讀取 KV
PS C:\Users\yao> vault kv get -mount="secret" "job/dream-team/my-secret"
============ Secret Path ============
secret/data/job/dream-team/my-secret
======= Metadata =======
Key Value
--- -----
created_time 2024-10-10T03:22:24.5812039Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 5
====== Data ======
Key Value
--- -----
User admin
password 1234567890
心得
透過 AppRole Authentication Method 取得動態 Secret Id 和固定的 Role Id,最後,再用 Secret Id + Role Id 再去換 Token,這段的流程串接沒有甚麼大問題,這篇範例是透過 Root Token 取得 Secret Id、Role Id,實務上要記得使用非 Root Token 來操作,可以試著使用 vault token create 產生出來的 token,然後 vault login new_token 來使用
若有謬誤,煩請告知,新手發帖請多包涵
Microsoft MVP Award 2010~2017 C# 第四季
Microsoft MVP Award 2018~2022 .NET