使用 Github Authentication Method，訪問 Hashicorp Vault Server 機密性資源

2024-10-10

413
0
Security
2024-12-21

前面提到的案例都是使用 root token 進行登入。登入後，通過身分驗證 (Authentication)，接著依照定義的 ACL Policy 和 Role 來決定誰能訪問哪些資源，這個過程稱為授權 (Authorization)。由於 root token 具有最高權限，理論上應避免壤非管理人員使用它。現在，我們來看看如何使用 HashiCorp Vault Server 的 GitHub Authentication Method 訪問機敏性資源吧！

開發環境

Windows 11 Home
Windows Terminal 1.20.11781.0
Vault 1.17.6

建立 Vault Server 開發環境

vault server -dev

設定環境變數

$Env:VAULT_ADDR = "http://127.0.0.1:8200"

Github

設定 Organizations

我新增了一個 FunPlusCoding 的 Organization

設定 Team

新增一個 dream-team

取得 Github PAT

登入 github 後，Settings → Developer settings → Personal access tokens → tokens (classic) → Generate new token (classic)

需要有 admin read:org 的授權

Token 只會在螢幕上面顯示一次，關掉就再也看不到了，這咱們先記下來 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

demo 完就刪掉它

Vault CLI

這個 lab 有兩個主要的步驟

我先使用預設的 root token 登入，分別建立 K/V、Policy、Github Authentication Method。
再切換到 github 身分，讀取 K/V

建立 K/V

PS C:\Users\yao> vault kv put -mount="secret" "job/dream-team/my-secret" User=admin password=123456
============ Secret Path ============
secret/data/job/dream-team/my-secret
======= Metadata =======
Key                Value
---                -----
created_time       2024-10-10T03:10:53.358045Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            3

設定 Policy

根據上述路徑設定 Policy，secret/data/job/dream-team/* 路徑下，分別有 "create", "update", "read" 權限

$policy = @"
# Dev servers have version 2 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "secret/data/job/dream-team/*" {
 capabilities = ["create", "update", "read"]
}
"@
$policy | Out-File -FilePath "my-policy.hcl" -Encoding utf8
vault policy write my-policy "my-policy.hcl"

PS C:\Users\yao> $policy = @"
>> # Dev servers have version 2 of KV secrets engine mounted by default, so will
>> # need these paths to grant permissions:
>> path "secret/data/job/dream-team/*" {
>>   capabilities = ["create", "update", "read"]
>> }
>> "@
PS C:\Users\yao>
PS C:\Users\yao> $policy | Out-File -FilePath "my-policy.hcl" -Encoding utf8
PS C:\Users\yao> vault policy write my-policy "my-policy.hcl"
Success! Uploaded policy: my-policy

啟用 Github Authentication Method

PS C:\Users\yao> vault auth enable github
Success! Enabled github auth method at: github/

設定 Config

指定 github 的團隊使用哪些 policy，以下為例，我指定兩個 policy：default、my-policy

PS C:\Users\yao> vault write auth/github/map/teams/dream-team value=default,my-policy
Success! Data written to: auth/github/map/teams/dream-team

登入 github

PS C:\Users\yao> vault login -method=github token=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
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  hvs.CAESIDMYOMkFlzJovwQTfeP1IfZM-dgYYjdjz8vo6QAuHI5LGh4KHGh2cy5WYTN5YTdlc2pvNlJHOTJXZk9CNnI1Uko
token_accessor         iKdba7etMPrFPZCqmrSkLuCD
token_duration         768h
token_renewable        true
token_policies         ["default" "my-policy"]
identity_policies      []
policies               ["default" "my-policy"]
token_meta_org         FunPlusCoding
token_meta_username    yaochangyu

登入後可以看到有兩個 policy：default、my-policy，登入後應該就能使用相關的機敏性資料了

列出所有的 Authentication Methods

PS C:\Users\yao> vault auth list
Path       Type     Accessor               Description                Version
----       ----     --------               -----------                -------
github/    github   auth_github_1ae0a23c    n/a                        n/a
token/     token    auth_token_12f2c775     token based credentials    n/a

檢查目前的驗證是否為 github

PS C:\Users\yao> vault token lookup
Key                 Value
---                 -----
accessor            iKdba7etMPrFPZCqmrSkLuCD
creation_time       1728530300
creation_ttl        768h
display_name        github-yaochangyu
entity_id           186f23a2-62d0-f010-0d1c-78b3f3f9c72b
expire_time         2024-11-11T11:18:20.1217707+08:00
explicit_max_ttl    0s
id                  hvs.CAESIDMYOMkFlzJovwQTfeP1IfZM-dgYYjdjz8vo6QAuHI5LGh4KHGh2cy5WYTN5YTdlc2pvNlJHOTJXZk9CNnI1Uko
issue_time          2024-10-10T11:18:20.1217707+08:00
meta                map[org:FunPlusCoding username:yaochangyu]
num_uses            0
orphan              true
path                auth/github/login
policies            [default my-policy]
renewable           true
ttl                 767h58m4s
type                service

讀 KV

PS C:\Users\yao> vault kv get -mount="secret" "job/dream-team/my-secret"
============ Secret Path ============
secret/data/job/dream-team/my-secret
======= Metadata =======
Key                Value
---                -----
created_time       2024-10-10T03:10:53.358045Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            3
====== Data ======
Key         Value
---         -----
User        admin
password    123456

寫 KV

PS C:\Users\yao> vault kv put -mount="secret" "job/dream-team/my-secret" User=admin password=1234567890
============ Secret Path ============
secret/data/job/dream-team/my-secret
======= Metadata =======
Key                Value
---                -----
created_time       2024-10-10T03:22:24.5812039Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            5

心得

Vault 只有一種 Policy 授權管理，但驗證方法卻有很多種，每個驗證方法都可分配不同的 Policy，這一次算是串起 Auth method → Policy 的配置，只要設定好，接下來就可以用 C# 讀寫 KV，前面幾篇已經演示過，就不再贅述了。

使用 Vault Dynamic Credentials 訪問 PostgreSQL | 余小章 @ 大內殿堂 - 點部落 (dotblogs.com.tw)
保護你的機敏性資料，通過 VaultSharp 訪問 Hashicorp Vault - 快速入門

若有謬誤，煩請告知，新手發帖請多包涵

Microsoft MVP Award 2010~2017 C# 第四季
Microsoft MVP Award 2018~2022 .NET

回首頁

余小章 @ 大內殿堂

祕訣無它，唯勤而已;唯有不斷學習，才能成長 by 余小章