[SecretEngine][Vault] Extend ability to write, generate #786

Moep90 · 2021-09-29T09:28:13Z

Feature

Extending the Vault secret engine would help many in the kapitan-community (feedback channel + kapitan working group).

I want to share how I/we in my company tend to use the vault k+v store and its features.

Our Concept

Templated

{version}/{product-group}/{environment}-{provider-or-host}/{in-use-by}/{secret-type}/{name}

Example

v1/some-product/production-cluster-eu14/jenkins/aws-credentials/rootnonotreally
v1/some-other-product/production-saucelabs/jenkins/saucelabs-credentials/web-team
v1/some-thing/staging-cluster-us87/our-service/slack-token/chat-token

Execution

Payload

{
  "options": {
    "cas": 0
  },
  "data": {
    "creator": "firstname.lastname",
    "created-at": "2021-07-10-07:06",
    "expires-at": "2023-07-10-07:06",
    "encryption": "plain",
    "material": "02af2bb18847318ae5c738d29c9e18ef1a3afae12ca25e323a186c07b8aff0c1"
  }
}

API-Call

curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    https://${VAULT_URL}/v1/v1/some-product/production-cluster-eu14/jenkins/aws-credentials/rootnonotreally

Vault-CLI

Alternatively with vault CLI

export VAULT_ROOT_TOKEN=<myToken>
export VAULT_TOKEN=<myToken>
export VAULT_ADDR=${VAULT_URL}
vault kv put ops_kv/v1/some-product/production-cluster-eu14/jenkins/aws-credentials/rootnonotreally material=02af2bb18847318ae5c738d29c9e18ef1a3afae12ca25e323a186c07b8aff0c1 creator=firstname.lastname encryption=plain created-at=$(date "+%Y-%m-%d-%H:%M") expires-at=2023-07-10-07:06

Kapitan

Built In generators

parameters:
  better_secret:
    value: ?{vaultkv:targets/${target_name}/aws-credentials/rootnonotreally||randomstr|base64}

Vault Secret generators (similar to GKMS?)

We can make use of the /sys/tools/random endpoint

parameters:
  better_secret:
    value: ?{vaultkv:targets/${target_name}/aws-credentials/rootnonotreally||vaultrandom:32|base64}
    value: ?{vaultkv:targets/${target_name}/aws-credentials/chat-token||vaultrandom:32|hex}

Docs

We may can use something out of these links:

The text was updated successfully, but these errors were encountered:

MatteoVoges · 2023-10-04T07:51:31Z

Fixed with #1053

ramaro added enhancement enhancement to an existing feature feature labels Oct 30, 2021

MatteoVoges mentioned this issue Mar 16, 2023

Add write support for vaultkv secrets #958

Closed

MatteoVoges linked a pull request Apr 4, 2023 that will close this issue

Add write support for vaultkv secrets #958

Closed

MatteoVoges self-assigned this Apr 4, 2023

MatteoVoges closed this as completed Oct 4, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SecretEngine][Vault] Extend ability to write, generate #786

[SecretEngine][Vault] Extend ability to write, generate #786

Moep90 commented Sep 29, 2021 •

edited

Loading

MatteoVoges commented Oct 4, 2023

[SecretEngine][Vault] Extend ability to write, generate #786

[SecretEngine][Vault] Extend ability to write, generate #786

Comments

Moep90 commented Sep 29, 2021 • edited Loading

Feature

Our Concept

Templated

Example

Execution

Payload

API-Call

Vault-CLI

Kapitan

Built In generators

Vault Secret generators (similar to GKMS?)

Docs

MatteoVoges commented Oct 4, 2023

Moep90 commented Sep 29, 2021 •

edited

Loading