Skip to content
This repository has been archived by the owner on Jun 29, 2022. It is now read-only.
/ go-vln Public archive

Vault Symlink Proxy in Golang

License

MPL-2.0 license
5 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Typositoire/go-vln

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
backend
backend
 
 
cmd
cmd
 
 
docs/UML
docs/UML
 
 
proxy
proxy
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
db.json
db.json
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Vault Symlink Proxy (VLN)

A fairly straightforward proxy that aliases secrets in Vault with reasonable security compromises.

The Why

The origin story of why Go-VLN came to be all started with Concourse!

Concourse forces you to put all your secrets under a given base path so it can abstract several different secret management engines. It also follow certain lookup rules described in the Concourse documentation. This is great for Concourse, great for interoperability, but mildly inconvenient for cleanliness.

Facing this we had two choices:

  • Put all our secrets under one path: concourse/
  • Duplicate all the secrets that Concourse requires under concourse/

Both options are not really clean, and scale poorly when a lot of people need to lifecycle those secrets. With Go-VLN we can now have secrets in their rightful place follow whichever naming convention is sensible in your organization, then map those secrets under the path Concourse requires. Everyone is happy!

The How

Flow for reading secrets

read flow

Flow for all the other requests

other flow

Configuring your Vault backend

Example policy for KV v2:

path "secret/data/vln/symlinksDB" {
  capabilities = ["read"]
}

path "auth/approle/login" {
  capabilities = ["create"]
}

Example policy for KV v1:

path "secret/vln/symlinksDB" {
  capabilities = ["read"]
}

path "auth/approle/login" {
  capabilities = ["create"]
}

Caveats

It's made for machines, not for humans

You can't list symlinks as you would with vault secret list or whatnot. So as far as discovery goes, you have to be aware it's there and know where to look at the configuration if you intend to mess with it.

If you're making API calls manually, you'll see go-vln adding headers in there to let you know it's at work. It's transparent, but not sneaky.

The security compromises

You have to be comfortable with this piece of software having a peek at your unencrypted Vault traffic. On the upside, it entirely respects your current ACLs. The credential requester does so with its own credentials, and its policy must allow it to read where the symlink points to.

This also does not mess up your Vault audit logs. The requests hitting Vault are the requests hitting Vault. You can't sneak out a secret without Vault knowing.

About

Vault Symlink Proxy in Golang

Resources

Readme

License

MPL-2.0 license
Activity

Stars

5 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages