Protect your secrets with the Vault plugin

Our development team is constantly improving the RUDDER software. They have to be at the cutting edge of technology. So they give you tips and feedbacks on the codes and techniques they use when they discover something interesting.
In this article, we will cover a use case that introduces a way to create secrets in Vault and use the defined data as Rudder variables, then usable as a normal variable in your techniques.

Introduction to Vault

There are hundreds of applications that need access to critical data in order to work properly. Those sensitive data can be : API keys, passwords, certificates, tokens and so much more. Here comes the need of Vault which is basically a centralized tool that manages and stores secrets related to a specific development project.

Vault offers the possibility of verifying and monitoring who is accessing each secret and how, by exposing a detailed log, encrypting and decrypting data, authorizing access based on policies and also providing different authentication methods that can be either intern such as ‘user/password’, ‘token’ and ‘tls’ or external such as ‘LDAP’, ‘Radius’ and ‘Kubernetes’.

The main key features of Vault are : On-demand secrets generation, data encryption and decryption, leasing, renewal and revocation of secrets.

Vault can be accessible via : API, Web Interface and CLI.

Once Vault is started, it is in a sealed state, it doesn’t allow access to its data. We have to provide it with 3 keys so it can pass to a unsealed state. Those keys are provided by default only during installation.

Example of use case

Vault has different types of secret engines which are : Generic, Cloud and Infra.

  • Generic secrets are used to store secrets in key values format (it can be usernames and passwords), certificates, ssh keys etc.
  • Cloud secrets are used to store secrets related to cloud platforms such as AWS, Azure, etc.
  • Infra secrets are related for example to databases, cluster secrets, etc.

Let’s start by creating a basic key value secret engine to store a database server login information.

We need to specify the path, and the version of the kv secret engine, We may notice that there are two versions for it, the difference between both of them is that version 2 is way more secure than version 1, it provides a way to roll back secrets and recover data.

After clicking on ‘Enable Engine’, a unified branch for the engine appears in which we can create as many sections (secrets) as we want. 

Now we have to click on ‘Create Secret’ then set the parameters for it, which are basically the path, the number of versions and finally the keys values parameters.
Now let’s go a little bit further. Logically, each secret is related to a set of policies that define who and how we can access it. So, let’s go ahead and create a policy for our secret.

Here, we have defined that the target user can only list all the secrets defined under the path ‘secret/*’, however, for the dbserver one, he has read and list capabilities. Note that we need to be careful to the order of policy definition, (which is the same for the ACL case definition) otherwise, the policy won’t be valid.

N.B : When creating a secret and defining the path for it, we usually don’t define ‘/data’ in it, it is not visible in the path but we have to put it in order to access data.
path "secret/data/dbserver" {
  capabilities = ["read","list"]
}
path "secret/*" {
  capabilities = ["list"]
} 

Generally, policies must be attached to groups, let’s go ahead and create our group for the policy we just defined.

We have to go to ‘Access’ in the menu above, then click on ‘Create group’, when defining the group parameters, we can choose the type which can be either internal or external, also we’re gonna choose the policy for our group which will be in our case the one we just created.

Now that we have defined our group, We have to create our entity, basically, an entity in Vault is the user or the machine that will access and manipulate the data, but before that, we have to define the authentication methods for our user. 

Now we have to click on ‘Enable new method’, in our case we will choose the basic method which is “Username & Password”. Finally we click on ‘Enable Method’.
Now, we finally can create our entity. Let’s put for example, ‘AmyCarr’ as a name and click on ‘Create’.

Now that we have finished creating our user, we need to define the alias for it, an alias as generally known, is simply a representation of the username here, its utility is that we can define different aliases for the same user in order to authenticate for different resources. 

We define ‘Amy_C’ as an alias name by clicking on ‘Add alias’, we have to choose also the authentication method that we defined, which is ‘userpass’.
Now, let’s go back to the group section in which we defined our policies, we are going to simply add our entity user to it. We have to edit our group so we can be able to add ‘Member Entity IDs’ for our user, then we click on ‘Save’.

Now, one only thing left is that we need to define the password for our user, Vault user interface does not support this setup, so we will define it via Vault CLI. 

On the Vault CLI we need first to set up the environment variable for the Vault address and the Vault token.

Introduction to Vault integration plugin

Vault plugin offers an option that makes Rudder Server way more adapted to the user ecosystem. The main feature of this plugin is to allow users to use data in their Vault servers (such as the secret we defined above) as a Rudder variable. For security purposes, the plugin makes it possible to avoid storing it on the RUDDER server and limiting access to the machines concerned.

Example of use case

To use the plugin first of all we need to download and install the plugin package from the repository using the command:

  • rudder package install-file <path to the rpkg>

Or if we have an active subscription:

  • rudder package install rudder-plugin-vault

Once the package is downloaded and installed on the Rudder server, we need to define the configuration that basically is the Vault server IP address and the authentication method. Authentication methods supported by the plugin are userpass and token.

In our case, our user is defined with userpass authentication method, we have to configure its credentials in the /var/rudder/plugin-resources/vault.json file on each agent.

While using the plugin, we define the Vault server IP address and authentication mode on each agent, this is a best practice so Rudder Server won’t need to access Vault Server as the agent will take care of the whole authentication and fetching secrets process.

{
  "server_addr": "http://192.168.42.12:8200",
  "auth":
  {
	"mode": "userpass",
	"userpass":
	{
  	"user": "Amy_C",
  	"password": "trainingexample"
	}
  },
  verify_certificate: true
} 

Now let’s create the technique on the rudder user interface that will contain our generic method as follows.

We need to make sure that the path is correct otherwise the method won’t work!
The Rudder agent runs automatically every 5 minutes, but to visualize how actually our method is executed, we can run the ‘rudder agent run -i’ command.

Obviously, this method allowed us to fetch a secret from Vault Server, now let’s suppose for example, that we want to store that secret (that contains the login information of a database server) into a credentials file in our node.

To do so, we can simply create another generic method in the same technique called ‘File lines present’ and we have to indicate the file name and the lines we want to insert into the file.

In the lines section we have to call a variable which contains the content of Variable prefix and Variable name of the generic method ‘Variable from Vault’ that are database and userpass.
To test the method, we can launch the agent on the node and then check the user credentials file, which contains the content of our secret (the username and password of the database user).

Conclusion

Both examples we have introduced, showed a basic use case of Vault secret management
and a use case of how to fetch a secret from Vault Server using Vault integration plugin.

To go further with Vault usage, you can check out the Vault official documentation: https://www.vaultproject.io/docs/

Download the Vault plugin from the plugins page and follow this article to start using it on your Rudder server.

Ikram Bejaoui
This section allow you to modify the background image of the post template’s header.
dev-corner-articles

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on print
Share on email
Scroll to Top