Weitere ähnliche Inhalte Ähnlich wie Vault Secrets Via API for the REST of Us (20) Mehr von Mitchell Pronschinske (20) Kürzlich hochgeladen (20) Vault Secrets Via API for the REST of Us1. Copyright © 2018 HashiCorp
Vault API for the REST
of us
How to access Vault whether you’re in a full stateful environment
or a minimalist McGuyver sidecar.
Version: 1119.18
3. Copyright © 2018 HashiCorp ⁄
1: CLI
2: HTTP
3: HTTPS
4: Binding
5: Other client
3
4. Copyright © 2018 HashiCorp ⁄
CLI
Copyright © 2018 HashiCorp ⁄⁄ 4
Simplicity:
Vault binary actually covers Server, Agent, CLI.
Pros:
Simplicity. Single binary does all.
Parameter -output-curl-url can generate our REST call for learning curve.
Help menu provided.
Cons:
Bulk: 127MB binary (Golang, no dependencies)
Often too large for a sidecar or container environment.
Golang CA chain caveats.
Not always an option.
5. Copyright © 2018 HashiCorp ⁄
CLI to API
5
#!/bin/bash
# Example vault override to convert script to curl commands.
# Use this function to override vault for curl
function vault {
arg1=$1
shift
/usr/local/bin/vault $arg1 -output-curl-string $@
}
vault write auth/jwt/login role=test jwt=MYJWT
vault write pki/issue/example common_name=test.com
vault read kv/test
$ batch.sh
curl -X PUT -H "X-Vault-Token: $(vault print token)" -d '{"jwt":"MYJWT","role":"test"}' http://
127.0.0.1:8200/v1/auth/jwt/login
curl -X PUT -H "X-Vault-Token: $(vault print token)" -d '{"common_name":"test.com"}' http://127.0.0.1:8200/
v1/pki/issue/example
curl -H "X-Vault-Token: $(vault print token)" http://127.0.0.1:8200/v1/kv/test
6. Copyright © 2018 HashiCorp ⁄
HTTP
or
HTTPS
Copyright © 2018 HashiCorp ⁄⁄ 6
Simplicity:
Low overhead. Flexible
Pros:
Simplicity. Accessible with standard libs.
Security via HTTPS
Lightweight HTTP: access via Curl or /dev/tcp (bash only)
Lightweight HTTPS: access via Curl or just OpenSSL client.
Suitable for automation or wrappers.
Cons:
Great developer experience. Less easy as a user experience.
7. Copyright © 2018 HashiCorp ⁄
HTTP (raw /dev/tcp)
7
#!/bin/bash
# Access raw Vault API without curl, wget, or vault binary.
function vaultRaw
{
exec 3<>/dev/tcp/localhost/8200
cat <<EOF >&3
GET /$1 HTTP/1.1
Host: localhost:8200
X-Vault-Token: $VAULT_TOKEN
Connection: close
EOF
cat <&3
}
# Fetch health
vaultRaw v1/sys/health
# Fetch seal-status
vaultRaw v1/sys/seal-status
8. Copyright © 2018 HashiCorp ⁄
HTTP (raw /dev/tcp) output
8
$ ./vault-raw-api.sh
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: application/json
Date: Tue, 05 Nov 2019 01:40:36 GMT
Content-Length: 298
Connection: close
{"initialized":true,"sealed":false,"standby":false,"performance_standby":false,"replication_performance_mode":"
disabled","replication_dr_mode":"disabled","server_time_utc":
1572918036,"version":"1.2.3+ent","cluster_name":"vault-cluster-e97e0603","cluster_id":"4da14b8c-b2fd-56e1-a104-
bbf1eac855f5"}
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: application/json
Date: Tue, 05 Nov 2019 01:40:36 GMT
Content-Length: 242
Connection: close
{"type":"shamir","initialized":true,"sealed":false,"t":1,"n":1,"progress":
0,"nonce":"","version":"1.2.3+ent","migration":false,"cluster_name":"vault-cluster-
e97e0603","cluster_id":"4da14b8c-b2fd-56e1-a104-bbf1eac855f5","recovery_seal":false}
9. Copyright © 2018 HashiCorp ⁄
HTTPS (openssl s client)
9
#!/bin/bash -x
# John Boero - a script to access Vault using only OpenSSL Client
# ARG1 is your endpoint requested (GET by default)
openssl s_client -quiet -connect localhost:8200 <<EOF
GET /$1 HTTP/1.1
Host: localhost:8200
X-Vault-Token: $VAULT_TOKEN
Connection: close
EOF
10. Copyright © 2018 HashiCorp ⁄
HTTPS (openssl) output
10
$ ./vault-tls-example.sh v1/sys/health
+ openssl s_client -quiet -connect localhost:8200
Can't use SSL_get_servername
depth=0 C = UK, L = London, O = Default Company Ltd, CN = localhost
verify return:1
depth=0 C = UK, L = London, O = Default Company Ltd, CN = localhost
verify return:1
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: application/json
Date: Tue, 05 Nov 2019 02:01:06 GMT
Content-Length: 298
Connection: close
{"initialized":true,"sealed":false,"standby":false,"performance_standby":false,"replication_performance_mode":"
disabled","replication_dr_mode":"disabled","server_time_utc":
1572919266,"version":"1.2.3+ent","cluster_name":"vault-cluster-e97e0603","cluster_id":"4da14b8c-b2fd-56e1-a104-
bbf1eac855f5"}
11. Copyright © 2018 HashiCorp ⁄
Bindings
Copyright © 2018 HashiCorp ⁄⁄ 11
Simplicity:
Native library wrappers for the languages you prefer.
Community and supported libraries here:
https://www.vaultproject.io/api/libraries.html
Pros:
Simplicity. Accessible with standard libs.
Suitable for automation or wrappers.
Simple learning curve.
Cons:
Library maintainers must keep up with server releases.