Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Vault Secrets Via API for the REST of Us

In this solutions engineering hangout, HashiCorp solutions engineer John Boero will walk through the basics of managing Vault secrets and accessing REST APIs without having a binary CLI or UI. This talk will include some minimalist hotwired tricks for when you don't even have cURL. For example, you might be in a restrictive environment such as a minimalist container.

  • Be the first to comment

  • Be the first to like this

Vault Secrets Via API for the REST of Us

  1. 1. Copyright © 2018 HashiCorp Vault API for the REST of us How to access Vault whether you’re in a full stateful environment or a minimalist McGuyver sidecar. Version: 1119.18
  2. 2. Copyright © 2018 HashiCorp ⁄ REST API: Options 2
  3. 3. Copyright © 2018 HashiCorp ⁄ 1: CLI 2: HTTP 3: HTTPS 4: Binding 5: Other client 3
  4. 4. Copyright © 2018 HashiCorp ⁄ CLI Copyright © 2018 HashiCorp ⁄⁄ 4 Simplicity: Vault binary actually covers Server, Agent, CLI. Pros: Simplicity. Single binary does all. Parameter -output-curl-url can generate our REST call for learning curve. Help menu provided. Cons: Bulk: 127MB binary (Golang, no dependencies) Often too large for a sidecar or container environment. Golang CA chain caveats. Not always an option.
  5. 5. Copyright © 2018 HashiCorp ⁄ CLI to API 5 #!/bin/bash # Example vault override to convert script to curl commands. # Use this function to override vault for curl function vault { arg1=$1 shift /usr/local/bin/vault $arg1 -output-curl-string $@ } vault write auth/jwt/login role=test jwt=MYJWT vault write pki/issue/example common_name=test.com vault read kv/test $ batch.sh curl -X PUT -H "X-Vault-Token: $(vault print token)" -d '{"jwt":"MYJWT","role":"test"}' http:// 127.0.0.1:8200/v1/auth/jwt/login curl -X PUT -H "X-Vault-Token: $(vault print token)" -d '{"common_name":"test.com"}' http://127.0.0.1:8200/ v1/pki/issue/example curl -H "X-Vault-Token: $(vault print token)" http://127.0.0.1:8200/v1/kv/test
  6. 6. Copyright © 2018 HashiCorp ⁄ HTTP or HTTPS Copyright © 2018 HashiCorp ⁄⁄ 6 Simplicity: Low overhead. Flexible Pros: Simplicity. Accessible with standard libs. Security via HTTPS Lightweight HTTP: access via Curl or /dev/tcp (bash only) Lightweight HTTPS: access via Curl or just OpenSSL client. Suitable for automation or wrappers. Cons: Great developer experience. Less easy as a user experience.
  7. 7. Copyright © 2018 HashiCorp ⁄ HTTP (raw /dev/tcp) 7 #!/bin/bash # Access raw Vault API without curl, wget, or vault binary. function vaultRaw { exec 3<>/dev/tcp/localhost/8200 cat <<EOF >&3 GET /$1 HTTP/1.1 Host: localhost:8200 X-Vault-Token: $VAULT_TOKEN Connection: close EOF cat <&3 } # Fetch health vaultRaw v1/sys/health # Fetch seal-status vaultRaw v1/sys/seal-status
  8. 8. Copyright © 2018 HashiCorp ⁄ HTTP (raw /dev/tcp) output 8 $ ./vault-raw-api.sh HTTP/1.1 200 OK Cache-Control: no-store Content-Type: application/json Date: Tue, 05 Nov 2019 01:40:36 GMT Content-Length: 298 Connection: close {"initialized":true,"sealed":false,"standby":false,"performance_standby":false,"replication_performance_mode":" disabled","replication_dr_mode":"disabled","server_time_utc": 1572918036,"version":"1.2.3+ent","cluster_name":"vault-cluster-e97e0603","cluster_id":"4da14b8c-b2fd-56e1-a104- bbf1eac855f5"} HTTP/1.1 200 OK Cache-Control: no-store Content-Type: application/json Date: Tue, 05 Nov 2019 01:40:36 GMT Content-Length: 242 Connection: close {"type":"shamir","initialized":true,"sealed":false,"t":1,"n":1,"progress": 0,"nonce":"","version":"1.2.3+ent","migration":false,"cluster_name":"vault-cluster- e97e0603","cluster_id":"4da14b8c-b2fd-56e1-a104-bbf1eac855f5","recovery_seal":false}
  9. 9. Copyright © 2018 HashiCorp ⁄ HTTPS (openssl s client) 9 #!/bin/bash -x # John Boero - a script to access Vault using only OpenSSL Client # ARG1 is your endpoint requested (GET by default) openssl s_client -quiet -connect localhost:8200 <<EOF GET /$1 HTTP/1.1 Host: localhost:8200 X-Vault-Token: $VAULT_TOKEN Connection: close EOF
  10. 10. Copyright © 2018 HashiCorp ⁄ HTTPS (openssl) output 10 $ ./vault-tls-example.sh v1/sys/health + openssl s_client -quiet -connect localhost:8200 Can't use SSL_get_servername depth=0 C = UK, L = London, O = Default Company Ltd, CN = localhost verify return:1 depth=0 C = UK, L = London, O = Default Company Ltd, CN = localhost verify return:1 HTTP/1.1 200 OK Cache-Control: no-store Content-Type: application/json Date: Tue, 05 Nov 2019 02:01:06 GMT Content-Length: 298 Connection: close {"initialized":true,"sealed":false,"standby":false,"performance_standby":false,"replication_performance_mode":" disabled","replication_dr_mode":"disabled","server_time_utc": 1572919266,"version":"1.2.3+ent","cluster_name":"vault-cluster-e97e0603","cluster_id":"4da14b8c-b2fd-56e1-a104- bbf1eac855f5"}
  11. 11. Copyright © 2018 HashiCorp ⁄ Bindings Copyright © 2018 HashiCorp ⁄⁄ 11 Simplicity: Native library wrappers for the languages you prefer. Community and supported libraries here: https://www.vaultproject.io/api/libraries.html Pros: Simplicity. Accessible with standard libs. Suitable for automation or wrappers. Simple learning curve. Cons: Library maintainers must keep up with server releases.
  12. 12. www.hashicorp.com hello@hashicorp.com Thank you

    Be the first to comment

In this solutions engineering hangout, HashiCorp solutions engineer John Boero will walk through the basics of managing Vault secrets and accessing REST APIs without having a binary CLI or UI. This talk will include some minimalist hotwired tricks for when you don't even have cURL. For example, you might be in a restrictive environment such as a minimalist container.

Views

Total views

2,623

On Slideshare

0

From embeds

0

Number of embeds

2,353

Actions

Downloads

5

Shares

0

Comments

0

Likes

0

×