Vault Secrets Via API for the REST of Us
0 likes3,835 views
The document discusses accessing HashiCorp Vault through various methods including a CLI, HTTP, and HTTPS. It highlights the pros and cons of each approach, emphasizing simplicity and accessibility for automation while noting potential challenges with binary size and user experience. Additionally, it provides examples of using scripts for making API calls directly via curl and openssl.
Vault Secrets Via API for the REST of Us
- 1. Copyright © 2018 HashiCorp Vault API for the REST of us How to access Vault whether you’re in a full stateful environment or a minimalist McGuyver sidecar. Version: 1119.18
- 2. Copyright © 2018 HashiCorp ⁄ REST API: Options 2
- 3. Copyright © 2018 HashiCorp ⁄ 1: CLI 2: HTTP 3: HTTPS 4: Binding 5: Other client 3
- 4. Copyright © 2018 HashiCorp ⁄ CLI Copyright © 2018 HashiCorp ⁄⁄ 4 Simplicity: Vault binary actually covers Server, Agent, CLI. Pros: Simplicity. Single binary does all. Parameter -output-curl-url can generate our REST call for learning curve. Help menu provided. Cons: Bulk: 127MB binary (Golang, no dependencies) Often too large for a sidecar or container environment. Golang CA chain caveats. Not always an option.
- 5. Copyright © 2018 HashiCorp ⁄ CLI to API 5 #!/bin/bash # Example vault override to convert script to curl commands. # Use this function to override vault for curl function vault { arg1=$1 shift /usr/local/bin/vault $arg1 -output-curl-string $@ } vault write auth/jwt/login role=test jwt=MYJWT vault write pki/issue/example common_name=test.com vault read kv/test $ batch.sh curl -X PUT -H "X-Vault-Token: $(vault print token)" -d '{"jwt":"MYJWT","role":"test"}' http:// 127.0.0.1:8200/v1/auth/jwt/login curl -X PUT -H "X-Vault-Token: $(vault print token)" -d '{"common_name":"test.com"}' http://127.0.0.1:8200/ v1/pki/issue/example curl -H "X-Vault-Token: $(vault print token)" http://127.0.0.1:8200/v1/kv/test
- 6. Copyright © 2018 HashiCorp ⁄ HTTP or HTTPS Copyright © 2018 HashiCorp ⁄⁄ 6 Simplicity: Low overhead. Flexible Pros: Simplicity. Accessible with standard libs. Security via HTTPS Lightweight HTTP: access via Curl or /dev/tcp (bash only) Lightweight HTTPS: access via Curl or just OpenSSL client. Suitable for automation or wrappers. Cons: Great developer experience. Less easy as a user experience.
- 7. Copyright © 2018 HashiCorp ⁄ HTTP (raw /dev/tcp) 7 #!/bin/bash # Access raw Vault API without curl, wget, or vault binary. function vaultRaw { exec 3<>/dev/tcp/localhost/8200 cat <<EOF >&3 GET /$1 HTTP/1.1 Host: localhost:8200 X-Vault-Token: $VAULT_TOKEN Connection: close EOF cat <&3 } # Fetch health vaultRaw v1/sys/health # Fetch seal-status vaultRaw v1/sys/seal-status
- 8. Copyright © 2018 HashiCorp ⁄ HTTP (raw /dev/tcp) output 8 $ ./vault-raw-api.sh HTTP/1.1 200 OK Cache-Control: no-store Content-Type: application/json Date: Tue, 05 Nov 2019 01:40:36 GMT Content-Length: 298 Connection: close {"initialized":true,"sealed":false,"standby":false,"performance_standby":false,"replication_performance_mode":" disabled","replication_dr_mode":"disabled","server_time_utc": 1572918036,"version":"1.2.3+ent","cluster_name":"vault-cluster-e97e0603","cluster_id":"4da14b8c-b2fd-56e1-a104- bbf1eac855f5"} HTTP/1.1 200 OK Cache-Control: no-store Content-Type: application/json Date: Tue, 05 Nov 2019 01:40:36 GMT Content-Length: 242 Connection: close {"type":"shamir","initialized":true,"sealed":false,"t":1,"n":1,"progress": 0,"nonce":"","version":"1.2.3+ent","migration":false,"cluster_name":"vault-cluster- e97e0603","cluster_id":"4da14b8c-b2fd-56e1-a104-bbf1eac855f5","recovery_seal":false}
- 9. Copyright © 2018 HashiCorp ⁄ HTTPS (openssl s client) 9 #!/bin/bash -x # John Boero - a script to access Vault using only OpenSSL Client # ARG1 is your endpoint requested (GET by default) openssl s_client -quiet -connect localhost:8200 <<EOF GET /$1 HTTP/1.1 Host: localhost:8200 X-Vault-Token: $VAULT_TOKEN Connection: close EOF
- 10. Copyright © 2018 HashiCorp ⁄ HTTPS (openssl) output 10 $ ./vault-tls-example.sh v1/sys/health + openssl s_client -quiet -connect localhost:8200 Can't use SSL_get_servername depth=0 C = UK, L = London, O = Default Company Ltd, CN = localhost verify return:1 depth=0 C = UK, L = London, O = Default Company Ltd, CN = localhost verify return:1 HTTP/1.1 200 OK Cache-Control: no-store Content-Type: application/json Date: Tue, 05 Nov 2019 02:01:06 GMT Content-Length: 298 Connection: close {"initialized":true,"sealed":false,"standby":false,"performance_standby":false,"replication_performance_mode":" disabled","replication_dr_mode":"disabled","server_time_utc": 1572919266,"version":"1.2.3+ent","cluster_name":"vault-cluster-e97e0603","cluster_id":"4da14b8c-b2fd-56e1-a104- bbf1eac855f5"}
- 11. Copyright © 2018 HashiCorp ⁄ Bindings Copyright © 2018 HashiCorp ⁄⁄ 11 Simplicity: Native library wrappers for the languages you prefer. Community and supported libraries here: https://www.vaultproject.io/api/libraries.html Pros: Simplicity. Accessible with standard libs. Suitable for automation or wrappers. Simple learning curve. Cons: Library maintainers must keep up with server releases.