Warden, a Node.js service, is an authentication middleware service that runs on each node in the Vault cluster. It uses a privileged Vault token to provision orphaned tokens for tokend. The orphaned token has a specific role that grants it access to other services.
Warden is implemented as chains of middleware functions that either validate request parameters or fetch more data using previously validated parameters as inputs. Data sources such as the S3 and the EC2 describeInstance APIs are trusted and presumed to be valid, while data in the request body as well as from various AWS Tags APIs is not, and must be subjected to a validation process before it can be relied upon as a part of the request's chain of authentication.
Every layer in the middleware chain may either respond immediately to the request with an error, or pass the request to the next layer. Layers must respond immediately with an error if a verification task fails.
The steps to validate the request for a token are:
- Receive request for token
- Validate body of request contains a signature and a json document of EC2 instance data
- Validate the the signature is from an EC2 instance
- Validate the document has all of the necessary information to proceed
- Fetch metadata from S3 that matches data from the json document
- Acquire a token for Vault that grants access to the specific secrets
- Return the token to the instance requesting a token
See the getting started guide for help installing, configuring, and using Warden.
First ensure that ruby 2.2.4 and node 4.4.x are installed on your Vault servers. Then ensure that the settings in /config/defaults.json are correct for your needs.
In order to launch the Warden service, navigate to
/opt/warden/ and call
This will launch both Warden and the Sinatra app to verify signatures of requests.
The Sinatra app checks the signature on the document to ensure that the signature is real and valid. It's launch automatically when warden starts and does not need anything special configuration.
Steps to release new version:
To increment version, run:
$ npm version minor $ bundle exec rake default
To be able to create a new release on github.com, you must have the following environment variables set:
and the user and token must have the appropriate permissions in this repository.