Skip to content
A tool for configuring Hashicorp Vault for Managed Secrets
Go
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
pkg/keymaster
.gitignore
LICENSE
README.md
buildspec.yml
go.mod
go.sum

README.md

keymaster

Status

Yaml Interface for machine access to Hashicorp Vault.

Based on a config file, these libs do the following:

  • Defines Secrets and their Generators for a Team.

  • Generate Secrets for a Team in each Environment, storing the Secrets in Vault.

  • Creates Vault Policies allowing Principals to access the above Secrets in each Environment.

  • Creates Roles per Team, generating Vault Auth endpoints allowing the secrets client or any other Vault savvy user to authenticate to Vault and get a token.

  • Roles have 'Realms' which are computing environments. Each Realm configures a different flavor of Authentication backend. Choices are 'k8s', 'iam', and 'tls'.

  • Does not create the per team secrets engines in Vault. That has to be done manually by a Vault Admin. This is deliberate, and allows keymaster to run with limited permissions (creating new storage engines would require keymaster to run with root permissions).

  • At present, CA engines are general purpose - not per Team.

Admin Notes

These cannot create secret engines. This is a deliberate choice.

Every time a new team is onboarded to Managed Secrets, an admin will need to manually run:

vault secrets enable -version=2 -path=<team name> -description="<team name> Secrets" kv
You can’t perform that action at this time.