Vault

Vault secures, stores, and tightly controls access to tokens, passwords,
certificates,API keys, and other secrets in modern computing.

https://learn.hashicorp.com/vault

Increase the token TTL value

The token TTL cannot exceed the max_TTL value which by default is is 768h

So, if you try to create a token with a long long TTL than 768h, you may encounter the following error:
TTL of xx exceeded the effective max_ttl of "768h"; TTL value is capped accordingly

You can increase the max_TTL value in order to be able to set long TTL for token

export VAULT_ADDR=https://vault.example.com
vault login $root_token

# Check current max_ttl for token : max_lease_tt
vault read sys/auth/token/tune
  Key                  Value
  ---                  -----
  default_lease_ttl    768h
  description          token based credentials
  force_no_cache       false
  max_lease_ttl        768h
  token_type           default-service

# If needed, change the max_lease_tt pour mettre 1464 days
vault write sys/auth/token/tune  max_lease_ttl=1464d
Success! Data written to: sys/auth/token/tune

# Re-check
vault read sys/auth/token/tune
  Key                  Value
  ---                  -----
  default_lease_ttl    768h
  description          token based credentials
  force_no_cache       false
  max_lease_ttl        35136h
  token_type           default-service

Install on single server for testing

Install on single node server(RedHat) : http://vault.example.com:8200/ui/

Install (done some years ago)

wget https://releases.hashicorp.com/vault/1.0.2/vault_1.0.2_linux_amd64.zip
unzip vault_1.0.2_linux_amd64.zip
chown root:root vault; mv vault /usr/bin/; chmod +x /usr/bin/vault
sudo setcap cap_ipc_lock=+ep /usr/bin/vault ##setcap ability

# vault system user
sudo useradd --system --home /etc/vault.d --shell /bin/false vault

# add service file in systemd
/etc/systemd/system/vault.service

# vault conf folder
mkdir -p /etc/vault.d
vim /etc/vault.d/vault.hcl
chown --recursive vault:vault /etc/vault.d
chmod 640 /etc/vault.d/vault.hcl

vim /etc/vault.d/vault.hcl
           /*
    storage "consul" {
      address = "127.0.0.1:8500"
      path    = "vault"
    }
    */

    storage "file" {
      path = "/opt/application/vault/data"
    }

    ui = true
    default_lease_ttl = "26280h"
    max_lease_ttl = "43800h"

    listener "tcp" {
      address = "127.0.0.1:8200"
      tls_disable = 1
    }

    /*telemetry {
      statsite_address = "127.0.0.1:8125"
      disable_hostname = true
    }*/

# creating LV to mount  /opt/application 20G
lvcreate -n application -L 20G vg ==> path /dev/vg/application
# set lv fs type as xfs
mkfs.xfs /dev/vg/application
mkdir -p  /opt/application
mount /dev/vg/application /opt/application
# add the mount point in  /etc/fstab

# start
systemctl enable vault
systemctl start vault
systemctl status vault

Post Instal

yum install jq

# init

export VAULT_ADDR='http://127.0.0.1:8200'
vault operator init
    Unseal Key 1: jGxwN2xxxxxwCgxxxxxxxxxxx
    Unseal Key 2: RMxD5hcZPxxxxkD8ACgxxxxxx
    Unseal Key 3: g2lPy2xxxxN6fBJlel3hxxxxx
    Unseal Key 4: dTRkaCTFlxxxxxzInjcf3xxxxx
    Unseal Key 5: PbmxxxxxxxxxxxxxxxxxxxxCMq

    s.YDxyzyzxzxyd

    vault login  s.YDxyzyzxzxyd

# operator
## only at the init: vault operator init
vault operator unseal #3fois

## Generate another root token
vault operator generate-root -generate-otp
vault operator generate-root -init -otp="xxxx"

#login root
vault login -no-store token=s.YDxyzyzxzxyd
vault login -no-store token_xxx
vault login -no-store -method=userpass username=xxx

# vault policy
vault policy list
vault policy read xxx
vault policy write name_de_xxx xxx
vault policy delete xxx

cat > app1.hcl <<EOF
#Grant 'read' and ‘list’ permissionc to paths prefixed by 'appli/*'
path "appli/app1/*" {
  capabilities = [ "read", "list" ]
}
EOF

vault policy write app1 app1.hcl
vault policy write app2 app1.hcl

# vault token 
token for app1 et app2
vault token create -display-name app1_tok -policy app1
  s.x6o8iNxxxxxha7T
vault token create -display-name app2_tok -policy app2
  s.aTZJLxxxxxhqRZXBue

# revoke a token  
vault token revoke xxx

# lookup token
vault token lookup $token
## OR
VAULT_TOKEN=$some_token vault token lookup

# secret from the static secrets engine
vault read secret/Application/app2
vault list secret/Application/app2

# secret kv2
vault kv get -mount="appli" "app1/and"

vault Policy templating

https://www.katacoda.com/hashicorp/scenarios/vault-policy-templating
https://learn.hashicorp.com/vault/identity-access-management/policy-templating#step-1-write-templated-acl-policies

group => entity => entity member

        | => Application_moe  | => generated token or user/pwd

Application | => Application_dev | => generated token or user/pwd
| => prod | => generated token or user/pwd

# or app2 de : user-tmpl.hcl group-tmpl.hcl 
vault policy write user-tmpl user-tmpl.hcl
vault policy write group-tmpl group-tmpl.hcl


#vault auth enable userpass si non activé depuis ihm
# vault auth list pour voir la liste des activés
#user
  vault write auth/userpass/users/app2_devuser password="XXXXX"
#entite: app2_dev
  #Retrieve the userpass mount accessor and save it in a file named, accessor.txt
  vault auth list -format=json | jq -r '.["userpass/"].accessor' > accessor.txt

  #Create app2_dev entity and save the identity ID in the entity_id.txt
  vault write -format=json identity/entity name="app2_dev" policies="user-tmpl" | jq -r ".data.id" > entity_id.txt

  #add user app2_devuser to enity app2_dev by creating alias
  vault write identity/entity-alias name="app2_devuser" \
     canonical_id=$(cat entity_id.txt) \
     mount_accessor=$(cat accessor.txt)

  #create group app2
  vault write -format=json identity/group name="app2" \
      policies="group-tmpl" \
      member_entity_ids=$(cat entity_id.txt) \
      metadata=description="groupe de l'appli app2" \
      | jq -r ".data.id" > group_id.txt


 #Enable key/value v2 secrets engine at user-kv and group-kv paths.
 vault secrets enable -path=user-kv kv-v2
 vault secrets enable -path=group-kv kv-v2

 #connection
 vault login -method=userpass username="app2_devuser" password="XXXXX"
export VAULT_ADDR='http://127.0.0.1:8200'


vault kv put user-kv/app2_dev/qa ssh_user="sysadmin"
vault kv put user-kv/app2_dev/qa ssh_pass="a changer"

vault kv list  group-kv/
vault kv put group-kv/app2/common common_var="toto123"

#vault login  s.xxxxx

#update list policyes
vault write auth/userpass/users/app2_devuser policies=user-tmpl,app2


  vault write identity/entity-alias name="token-app2-token" \
     canonical_id=$(cat entity_id.txt) \
     mount_accessor=$(cat accessor.txt)


##admin user
vault write auth/userpass/users/admin password="MDPxxxx"
vault write auth/userpass/users/admin policies=admin-policy
vault login -method=userpass username="admin" password="MDPxxxx"
#token: s.58qOAorDQ1Jdnf7xhKwkGXJ9

Update Storage Settings to use Consul

#config.hcl
    /*
    storage "consul" {
      address = "127.0.0.1:8500"
      path    = "vault"
    }
    */

    storage "file" {
      path = "/opt/vault/data"
    }

    ui = true

    listener "tcp" {
      address     = "127.0.0.1:8200"
      tls_disable = 1
    }

    /*telemetry {
      statsite_address = "127.0.0.1:8125"
      disable_hostname = true
    }*/

vault server -config=config.hcl
export VAULT_ADDR='http://127.0.0.1:8200'
vault operator init
vault operator  seal/unseal/.....

token name admin: s.6VOxxxx2mOLku
s.bPkQzxxx477aLXSxxxxxjxcSn74xxx
  VPmF0XWDHSOxxxpZYQgPvEl1xxYCqe
  om89V035baxxx96HzhSxxWcJWMkrsz
  F8MRFUKvluHDuWxxxxrvroqYxY3Sa6

vault auth enable userpass ou sur ihm

vault login token=s.bPkQzmxxxSjcSn74
vault login -method="userpass" username toto
vault token create -policy=default
   token                s.4aAwsexxxERnjt60
   token_accessor       1mduM7xxxxxx1XgP7


vault policy list
path "secret/data/training*" {
   capabilities = ["create", "read", "update", "delete", "list"]
}

vault policy write base base.hcl

vault policy read base


#associer un token a une politique ou plusieurs
vault token create -ttl=0 -display-name tintin -policy base -policy tatta


path "secrets/app2/*"  ou  path "secrets/app2*"
#creer et associer un user/pwd à une politique
vault write auth/userpass/users/bob password="training" \
    policies="test"

    vault write auth/userpass/users/bsmith password="training" \
      policies="team-qa"

     # policies="team-qa, toto"

### Creer une entite avec user
vault write -format=json identity/entity name="bob-smith" \
     policies="base" \
     metadata=organization="ACME Inc." \
     metadata=team="QA"

        id": "ade92ee1-df48-152b-7de0-27cfbf032759


##un group
vault write -format=json identity/group name="engineers" \
      policies="team-eng" \
      member_entity_ids=$(cat entity_id.txt) \
      metadata=team="Engineering" \
      metadata=region="North America"

Use Hashicorp Vault in AWX

Create credential type on AWX

fields:
  - type: string
    id: vault_server
    label: URL to Vault Server
  - type: string
    id: vault_token
    label: Vault Token
    secret: true
required:
  - vault_server
  - vault_token

#More details: https://www.ansible.com/blog/ansible-tower-feature-spotlight-custom-credentials

For Injector

env:
  VAULT_ADDR: '{{ vault_server }}'
  VAULT_TOKEN: '{{ vault_token }}'

###
ansible_user: "{{ lookup('hashi_vault', 'secret=secret/path/to:user') }}"
ansible_ssh_pass: "{{ lookup('hashi_vault', 'secret=secret/path/to:pwd') }}"