Consul Template and Envconsul tools have been widely used by the Vault practitioners to help integrate Vault in their existing solutions. Vault 1.3.0 introduced the Vault Agent Template feature, which provides the workflow that Consul Template provides. Vault 1.14 introduced the process supervisor mode to retrieve secrets from Vault as environment variables using Consul Template markup.
Bạn đang xem: Vault Agent – Secrets as Environment Variables
Prerequisites
To complete this tutorial, you will need:
- Vault binary version 1.14.0 or later.
Lab Setup
Setup Test Secrets
- In your terminal, clone the learn-vault-agent-envconsul repository, which contains the example configuration used in this tutorial.
- Explore the repository by changing directories. The folder includes the following files.
- Run the setup-secrets.sh script. This script enables kv-v2 secrets engine at
web-team/
anddev-app/
paths and creates initial test data. It also configures PKI secrets engine to generate certificates, which you will leverage in later sections. - Read the secrets created at
web-team/data/api-keys
. - Read the secrets created at
dev-app/data/creds
. - Read the secrets created at
dev-app/data/creds/database/db-admin
.
Generate a Vault Agent Config File
Xem thêm : The Importance of File Encryption for Data Security
Vault Agent introduced the generate-config
subcommand to auto-generate the agent configuration file based on the user input.
Usage:
Run the generate-config
Subcommand
Generates a Vault Agent configuration file named agent-config.hcl
at the current working directory. If your application needs to pull secrets from multiple paths, you can provide multiple -path
options as well as the wildcards (*).
- Generate a Vault Agent configuration file named
agent-config.hcl
and pass thekv-demo.sh
as the command to execute. - Open the generated configuration file with your preferred text editor to examine. The
auto_auth
stanza is usingtoken_file
as a placeholder. You can change the stanza to use the desired auth method.
Process Supervisor Mode
Each generated env_template
block maps to a secret key of a KV path that you passed in the command. The exec
block sets the kv-demo.sh
script as the command for Vault Agent to execute. Open and examine the kv-demo.sh
file. It reads secrets as environment variables. This application does not need to know about Vault.
Start a Vault Agent
Xem thêm : How to Bypass the Starlink Router and Use Your Own
Start a Vault Agent instance that connects to the Vault server running at VAULT_ADDR
.
- Start a Vault Agent.
Restarts on Secrets Change
The secret values could change while your application is running. Examine the behavior when the secret values change.
- Add
sleep 100
in thekv-demo.sh
to mock a long-running application. - Edit the
agent-config.sh
file to set thestatic_secret_render_interval
to 10 seconds for the purpose of demonstration. This makes Vault Agent pull the secrets every 10 seconds. - Start the Vault Agent again.
- Open another terminal and connect to the target Vault server.
- Update the secret values at
web-team/data/api-keys
. - Return to the terminal where Vault Agent is running and watch the output.
- Press Ctrl + C to stop the running Vault Agent.
Work with Dynamic Secrets
Currently, the generate-config
subcommand only supports kv-v1 and kv-v2 secrets engines. However, the Vault Agent’s process supervisor mode supports dynamic secrets that Envconsul supports today. The difference is that you would have to manually define the env_template
blocks.
- The
setup-secrets.sh
script configured the PKI secrets engine, and it is ready to serve. - (Optional) Request a certificate.
- Open the
pki-agent-config.hcl
to examine theenv_template
block it defines. - Open the
pki-demo.sh
file to review. This mock application gets a certificate stored in theCERT
environment variable. Similar to thekv-demo.sh
, this application does not need to know anything about Vault. - Run a Vault Agent with an additional
env_template
definition.
Clean Up
Summary
You learned the use of the generate-config
subcommand and the process supervisor mode to take advantage of secrets presented as environment variables. Vault Agent can handle the authentication and secret retrieval so that your application can remain Vault unaware. This reduces the barrier to adopting Vault and keeps your applications secure.
Frequently Asked Questions
Conclusion
Help and Reference
- Vault Agent Overview
- Vault Agent generate-config
- Vault Agent’s Process Supervisor Mode
- Vault Agent Auto-Auth
Nguồn: https://eireview.org
Danh mục: Technology