Repeatdly Vault builds
• Mark Eschbach
I’ve got about a half hour this morning, so I thought I would continue on with with my devops tools to initailize and maintain things. So I’ve got the toolchain able to lock and unlock Vault instances. Next up is dealing with policy construction.
So first major challenge is connecting to the vault instance for the environment. I use environment variables to determine what will be connected to and store that in a specific keychain. Hmm, I thought I was farther along, apparently not. Time to find the best Vault gem I can find. Hashicorp publishes one. Unfortunately it doesn’t look like this Gem documents how to write policies :-/. Time to dig through the source! Looks like Sys#put_policy is what I’m searchign for. Now to figure out how to get the sys object. Ah! It’s bound as apart of the extension of the class. Should be a straightforward client.sys.put_policy. Well, I overlooked the fact the format is different :-/. It generates JSON and I’ve defined it all in HCL so far. I really wish the official documentation was a little clearer about this but lucky someone has braved this path before. Hmm, that failed with got unconvertible type 'map[string]interface {}' :-/.
Looking at the official documentation for the target resource I was way off. Let’s try that modification.
Brief intermittermission, by like, you know, the day
Alrighty, coming back and brain storming. By a stroke of luck I decided to try just using straight HCL instead of using JSON, which surpisingly worked. Yay!
Next up is creating a login for the automated applications. The AppRole sounds interesting, however for my particular use cases right now it’s a bit overkill. I’m afraid there are some details I’m overlooking but I’ll dive into it head first anyway. For now I’ll steer away from it until I feel like it’s more releveant and stick with the supposidly less secure user name and passwords. Hmm, doesn’t look too bad for userpass. I was wrong about AppRole, it actually looks easy to setup. Well that was relatively easy.
role_name = "example-role"
policy_name = "example-policy"
if not vault.sys.auths.include? :approle
vault.sys.enable_auth( "approle", "approle", nil)
end
vault.approle.set_role( role_name, :policies => [ policy_name ] )
role_id = vault.approle.role_id( role_name )
secret_id = vault.approle.create_secret_id( role_name ).data[:secret_id]
puts "Role: #{role_id}"
puts "Secret: #{secret_id}"