Vault-Gatekeeper is a small service for delivering Vault token to other services who's lifecycles are managed by a container scheduler such as Mesos or ECS.
Vault-Gatekeeper takes the Cubbyhole Authenication approach outlined by Jeff Mitchell on Vault Blog. Specifically Vault response wrapping is used as outlined in the Vault documentation.
In short, a service will request a vault token from VG supplying its Mesos task id or ECS task arn. VG will then check with Mesos/ECS to
ensure that the task has been recently started and that VG has not already issued a token for that task id. Then VG will check its configuration to understand what role that task is assigned and request a response wrapped token from Vault. VG will then pass the token to the service which can then unwrap the response with /sys/wrapping/unwrap to retrieve the token.
- Vault 0.6.2+
- Mesos 1.0.0+ (if using Mesos)
Visit http://nemosupremo.github.io/vault-gatekeeper
This guide assumes that you 1.) have a Vault instance running, 2.) have a Mesos instance running and 3.) have an approle policy in Vault named test.
- Install a sample policy in Vault
$ echo '{"mesos:*":{"roles":["test"],"num_uses":1}}' | ./gatekeeper policy update --vault-token 'MY_TOKEN' '-'- Start a Gatekeeper instance
$ ./gatekeeper server --mesos-master 'http://leader.mesos:5050' --vault-addr http://localhost:8200- Unseal the Gatekeeper instance with a token. (The token must have at least the policy defined in
gatekeeper-policy.hcl).
$ ./gatekeeper unseal token --vault-token 'GK_TOKEN'- Launch a task on mesos and retrieve a token:
$ curl -X POST -d"{\"task_id\":\"${MESOS_TASK_ID}\"}" 'http://gatekeeper-host/token'You can grab a binary from the releases or deploy the docker image nemosupremo/vault-gatekeeper.