A small service for securely delivering Vault authorization keys to Mesos tasks and ECS containers.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd
dist
docs
gatekeeper
policy
scheduler
usagestore Fixed the import paths to match the original. Oct 30, 2018
vault
.dockerignore
.gitignore
.travis.yml
Dockerfile
Gopkg.lock
Gopkg.toml
LICENSE
README.md
build.bash
docs.sh
gatekeeper-policy.hcl
gatekeeper.go
gatekeeper_test.go Fixed the import paths to match the original. Oct 30, 2018
integration.sh
log_middleware.go
metrics.go
policy.go
routes.go
sample-gk-policy.json
tlsutil.go

README.md

vault-gatekeeper

Build Status

Vault-Gatekeeper is a small service for delivering Vault token to other services who's lifecycles are managed by a container scheduler such as Mesos or ECS.

Vault-Gatekeeper takes the Cubbyhole Authenication approach outlined by Jeff Mitchell on Vault Blog. Specifically Vault response wrapping is used as outlined in the Vault documentation.

In short, a service will request a vault token from VG supplying its Mesos task id or ECS task arn. VG will then check with Mesos/ECS to ensure that the task has been recently started and that VG has not already issued a token for that task id. Then VG will check its configuration to understand what role that task is assigned and request a response wrapped token from Vault. VG will then pass the token to the service which can then unwrap the response with /sys/wrapping/unwrap to retrieve the token.

Requirements

  • Vault 0.6.2+
  • Mesos 1.0.0+ (if using Mesos)

Documentation

Visit http://nemosupremo.github.io/vault-gatekeeper

Quickstart

This guide assumes that you 1.) have a Vault instance running, 2.) have a Mesos instance running and 3.) have an approle policy in Vault named test.

  1. Install a sample policy in Vault
$ echo '{"mesos:*":{"roles":["test"],"num_uses":1}}' | ./gatekeeper policy update --vault-token 'MY_TOKEN' '-'
  1. Start a Gatekeeper instance
$ ./gatekeeper server --mesos-master 'http://leader.mesos:5050' --vault-addr http://localhost:8200
  1. Unseal the Gatekeeper instance with a token. (The token must have at least the policy defined in gatekeeper-policy.hcl).
$ ./gatekeeper unseal token --vault-token 'GK_TOKEN'
  1. Launch a task on mesos and retrieve a token:
$ curl -X POST -d"{\"task_id\":\"${MESOS_TASK_ID}\"}" 'http://gatekeeper-host/token'

Downloading

You can grab a binary from the releases or deploy the docker image nemosupremo/vault-gatekeeper.

License

MIT