#vault (2020-01)

vault Discussions related to Hashicorp Vault

2020-01-31

David avatar
David

How would one restart a vault server? Or otherwise, how could I apply new changes to the config hcl file?

sarkis avatar
sarkis

For security reasons only some configs are updated with a SIGHUP signal to vault proc, which will not restart it completely (and possibly seal vault if you do not have auto-unseal enabled): https://www.vaultproject.io/docs/configuration/

Some of the ones I know of are tls_cert_file and tls_key_file. Not sure about others ;(

2020-01-30

Iiro Niinikoski avatar
Iiro Niinikoski

A very blondie question… Vault… I’d assume you always want to firewall it? It’s anyway your secrets-API…

sarkis avatar
sarkis

I’d say strongly recommended unless some extremely special case

Iiro Niinikoski avatar
Iiro Niinikoski

:)

2020-01-13

David avatar
David

I’m a bit confused by the AWS auth backend. Am I allowed to authenticate to Vault via AWS sts credentials from my local machine, or do I need to be on an EC2 when I assume a role so the metadata endpoint is present?

Essentially, is it possible to eventually say something like this on my local terminal: aws-vault exec sandbox-role -- vault login --method aws and then vault kv read ...?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yes, you can totally use this on your local machine

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(and it also works with the metadata endpoint, if you happen to be in EC2)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

also, aws-vault provides it’s own “mock” AWS metadata service if you use the --server mode

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We have some rough docs here on how we use it: https://docs.cloudposse.com/tools/aws-vault/

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

not sure if they will help you

David avatar
David

That does help, thanks!

It looks like I can use https://www.terraform.io/docs/providers/vault/r/aws_auth_backend_role.html and do something like:

resource "vault_aws_auth_backend_role" "local_iam_user_role" {
  role                     = "some_role_name"
  auth_type                = "iam"
  bound_iam_principal_arns = ["arn:aws:iam::<account_id>:role/SomeRoleOnlyAdminsHaveAccessTo"]
  token_policies           = ["admin"]
}

and then use credentials from aws-vault for the the role SomeRoleOnlyAdminsHaveAccessTo

    keyboard_arrow_up