#vault (2020-01)
Discussions related to Hashicorp Vault
2020-01-13
![David avatar](https://secure.gravatar.com/avatar/4f47da5c338b83938ce2229dbbd5460f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
I’m a bit confused by the AWS auth backend. Am I allowed to authenticate to Vault via AWS sts credentials from my local machine, or do I need to be on an EC2 when I assume a role so the metadata endpoint is present?
Essentially, is it possible to eventually say something like this on my local terminal: aws-vault exec sandbox-role -- vault login --method aws
and then vault kv read ...
?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yes, you can totally use this on your local machine
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
(and it also works with the metadata endpoint, if you happen to be in EC2)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
also, aws-vault
provides it’s own “mock” AWS metadata service if you use the --server
mode
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We have some rough docs here on how we use it: https://docs.cloudposse.com/tools/aws-vault/
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
not sure if they will help you
![David avatar](https://secure.gravatar.com/avatar/4f47da5c338b83938ce2229dbbd5460f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
That does help, thanks!
It looks like I can use https://www.terraform.io/docs/providers/vault/r/aws_auth_backend_role.html and do something like:
resource "vault_aws_auth_backend_role" "local_iam_user_role" {
role = "some_role_name"
auth_type = "iam"
bound_iam_principal_arns = ["arn:aws:iam::<account_id>:role/SomeRoleOnlyAdminsHaveAccessTo"]
token_policies = ["admin"]
}
and then use credentials from aws-vault for the the role SomeRoleOnlyAdminsHaveAccessTo
2020-01-30
![Iiro Niinikoski avatar](https://secure.gravatar.com/avatar/a3106a1dd633baaea39c3fbacd6ac100.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
A very blondie question… Vault… I’d assume you always want to firewall it? It’s anyway your secrets-API…
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
I’d say strongly recommended unless some extremely special case
![Iiro Niinikoski avatar](https://secure.gravatar.com/avatar/a3106a1dd633baaea39c3fbacd6ac100.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
:)
2020-01-31
![David avatar](https://secure.gravatar.com/avatar/4f47da5c338b83938ce2229dbbd5460f.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0003-72.png)
How would one restart a vault server? Or otherwise, how could I apply new changes to the config hcl file?
![sarkis avatar](https://secure.gravatar.com/avatar/3606f27756cf1a49f22f966e4ddf01a6.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0015-72.png)
For security reasons only some configs are updated with a SIGHUP
signal to vault proc, which will not restart it completely (and possibly seal vault if you do not have auto-unseal enabled): https://www.vaultproject.io/docs/configuration/
Some of the ones I know of are tls_cert_file
and tls_key_file
. Not sure about others ;(