Doing a little bit of exploration with Vault from Hashicorp. Was looking for a way to grab application configurations securely when I stumbled upon Vault. Their Auto-Auth with JWT looks promising but after looking through their documents I still have no idea how to set it up.
Can anyone experience with Vault guide me to get started?
Ok found out how to setup JWT Authentication and Auto-Auth. Below are the steps:
Generate Private key using openssl. Type in the following command:
openssl genrsa -aes256 -out private_key.pem 2048
Generate Public key using openssl. Type the following command:
openssl rsa -pubout -in private_key.pem -out public_key.pem
Enable jwt authentication by using the following command in a terminal/command prompt:
vault auth enable jwt
Configure JWT authentication with the following command. Role name demo is used as an example only. Any name can be used for role name:
vault write auth/jwt/config default_role="demo"
Create the named role in step 4:
vault write auth/jwt/role/demo \
bound_subject="jwt subject" \
user_claim="some claim" \
policies=webapps \
ttl=1h
Now is to generate the JWT to use for the authentication. When generating make sure the following is in the JWT body. Values are based on the example we use so please change as needed:
{
"sub" : "jwt subject",
"iat" : 1605166067,
"nbf": 1605166068,
"exp": 1605266067,
"some claim": "some claim"
}
Test JWT authentication by trying to log in:
vault write auth/jwt/login role=demo jwt=<your token>
Create agent-client.hcl as follows:
exit_after_auth = false
pid_file = "./pidfile"
auto_auth {
method "jwt" {
mount_path = "auth/jwt"
config = {
path = "C:\\Program Files\\vault\\agent\\token\\jwt.txt"
role = "demo"
}
}
sink "file" {
config = {
path = "jwtToken"
}
}
}
vault {
address = "http://127.0.0.1:8200"
}
Create a text file with the JWT generated in step 6 and save it to the path specified in the agent-client.hcl.
Run the following command to start the agent:
vault agent -config=agent-config.hcl -log-level=debug