-
Notifications
You must be signed in to change notification settings - Fork 2
/
instructions_approle.txt
147 lines (112 loc) · 5.58 KB
/
instructions_approle.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
We will imagine we have a simple Python application that consumes resources from a Mongo database, and presents an API.
The records will be contained in the orders collection in the flask_app database. We will use Vault
to control access to this resource.
Install and configure mongodb:
===========================================================================================
mkdir ~/data/flask_app
sudo apt-get install mongodb
mongod --port 27017 --dbpath ~/data/flask_app
or
docker run --name mongo-server -d mongo -v ~/data/flask-app:/data/db
===========================================================================================
We need to add a user who can create other users. We have chosen to use a very permissive role
within Mongo, but you can certainly further limit the access Vault has to the server by choosing
more restrictive roles. Please see (https://docs.mongodb.com/manual/reference/built-in-roles/#userAdminAnyDatabase)
for more information.
Connect and add admin user.
===========================================================================================
mongo --port 27017
or
docker run -it --link mongo-server:mongo --rm mongo sh -c 'exec mongo "$MONGO_PORT_27017_TCP_ADDR:$MONGO_PORT_27017_TCP_PORT/test"'
use admin
db.createUser(
{
user: "admin_user",
pwd: "password",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
===========================================================================================
Create our database and collections, and insert a record to initialize them.
===========================================================================================
use flask_app
db.createCollection('orders')
db.createCollection('customers')
db.orders.insert({'created_on':Date()})
db.customers.insert({'created_on':Date()})
===========================================================================================
Restart mongodb with auth:
===========================================================================================
mongod --port 27017 --dbpath ~/data/flask_app --auth
===========================================================================================
Add mongodb backend in Vault:
===========================================================================================
vault mount mongodb
===========================================================================================
Mount an audit backend so we have some idea what's going on:
===========================================================================================
mkdir -p ~/vault_logs && touch ~/vault_logs/audit.log
vault audit-enable file file_path=~/vault_logs/audit.log
===========================================================================================
Tell vault how to connect to mongo:
===========================================================================================
vault write mongodb/config/connection uri="mongodb://admin_user:password@127.0.0.1:27017/admin?ssl=false"
===========================================================================================
Configure lease parameters (must be renewed every hour, and recycled every day):
===========================================================================================
vault write mongodb/config/lease ttl=1h max_ttl=24h
===========================================================================================
Create some roles:hour
===========================================================================================
vault write mongodb/roles/readonly db=flask_app roles='[ "read" ]'
vault write mongodb/roles/write db=flask_app roles='[ "readWrite" ]'
===========================================================================================
==================
Steps for Flask App
Restrict access to mongodb database that
Enable AppRole and configure AppRole within Vault:
Enable the backend:
===========================================================================================
vault auth-enable approle
===========================================================================================
Create policies:
===========================================================================================
cat <<EOF > flask_app_role_worker_pol.hcl
path "auth/approle/role/flask_app/secret-id" {
capabilities = ["read","create","update"]
}
EOF
cat <<EOF > flask_app_role_provisioner_pol.hcl
path "auth/approle/role/flask_app/role-id" {
capabilities = ['read']
}
EOF
cat << EOF >flask_app_db_readonly_pol.hcl
path "mongodb/flask_app/roles/readonly" {
capabilities = ['read']
}
EOF
cat << EOF >flask_app_db_readwrite_pol.hcl
path "mongodb/flask_app/roles/write" {
capabilities = ['read']
}
EOF
===========================================================================================
Create the approle:
# The idea is a long lived app. Secret_id does not expire,
# and the token does get renewed periodically
vault write auth/approle/role/flask_app secret_id_ttl=0 \
token_num_uses=1 token_ttl=61m \
token_max_ttl=61m secret_id_num_uses=0
Retrieve the role_id:
vault read auth/approle/role/flaskapp/role-id
Get a SecretID issued against the AppRole:
vault write -f auth/approle/role/flask_app/secret-id
**********
scratch
Need to set a policy limiting access to the secret-id
Need to set a policy limiting access to the role-id
Need to somehow pin access to the mongo secret path to someone who has authed through the approle gate
start app by terraform remote provisioner writing config file that contains the approleid and secret_id_ttl,
then executing the app. App reads in IDs from the config file. Last step in the provisioner is to
delete the config file.