<img align=right src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=150>
<img src=images/sglogo.png width=50 align="left">

# TOTP MFA
<img src="images/vault-totp1.png" width=300>  

MFA works only for tokens that have identity information on them
Tokens created by logging in using auth methods will have the associated identity information

**Prerequisites:** 
You need to have Enterprise Vault up and running

`VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8200 evault server -log-level=trace -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 -dev-ha -dev-transactional`

In [1]:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_SKIP_VERIFY=true

In [42]:
vault login root

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                root
token_accessor       Tx3EngiKGeZcpw25mlWA6L3t
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"][0m


In [3]:
vault status; vault version

[0mKey             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.7.0+ent
Storage Type    inmem_transactional_ha
Cluster Name    vault-cluster-db716466
Cluster ID      8137cb9a-fa4a-b712-f767-5a4d5c74cd6c
HA Enabled      true
HA Cluster      https://0.0.0.0:8201
HA Mode         active
Active Since    2021-03-27T14:47:46.311383Z
Last WAL        35[0m
[0mVault v1.7.0 (4e222b85c40a810b74400ee3c54449479e32bb9f)[0m


### Create static secrets

In [4]:
vault secrets enable -version=1 -path=secret1 kv

[0mSuccess! Enabled the kv secrets engine at: secret1/[0m


In [5]:
vault kv put secret1/web01 ip="192.168.1.191" username="arthur" password="passw0rd123"
vault kv put secret1/web02 ip="192.168.1.192" username="raymond" password="passw0rd123"

[0mSuccess! Data written to: secret1/web01[0m
[0mSuccess! Data written to: secret1/web02[0m


---
## Configure TOTP MFA

In [6]:
vault write sys/mfa/method/totp/my_totp \
    issuer=Vault \
    period=30 \
    key_size=30 \
    algorithm=SHA256 \
    digits=6

[0mSuccess! Data written to: sys/mfa/method/totp/my_totp[0m


In [7]:
vault policy write totp-policy -<<EOF
path "secret1/*" {
  capabilities = ["read"]
  mfa_methods  = ["my_totp"]
}
EOF

[0mSuccess! Uploaded policy: totp-policy[0m


## Using AWS

### Setup AWS Auth

In [8]:
vault auth enable aws

[0mSuccess! Enabled aws auth method at: aws/[0m


In [9]:
source ~/.zshrc; echo $AWS_ACCESS_KEY_ID; aws sts get-caller-identity

AKIAWSEH7GKTNQXQMO4V
{[mh=
    "UserId": "AIDAWSEH7GKTK7YJMLGC2",[m
    "Account": "451256726182",[m
    "Arn": "arn:aws:iam::451256726182:user/tbagio"[m
}[m


In [10]:
# tbagio profile in ~/.aws/credentials
#
vault write auth/aws/config/client \
  secret_key=$AWS_SECRET_ACCESS_KEY \
  access_key=$AWS_ACCESS_KEY_ID 

[0mSuccess! Data written to: auth/aws/config/client[0m


&nbsp;   
### IAM Authentication type. 
<img src="images/iam-auth-flow.png" width=400>  

1. The AWS User makes a request to Vault and includes its IAM credential.   

2. Vault verifies that the User is valid  using the public AWS API endpoint.   

3. Provided all steps are successful, Vault returns the initial Vault token to the AWS User. This token is mapped to any configured policies based on the instance metadata.   


In [11]:
vault write auth/aws/role/dev-role-iam \
   auth_type=iam \
   bound_iam_principal_arn="arn:aws:iam::451256726182:*"\
   policies=totp-policy ttl=15m

[0mSuccess! Data written to: auth/aws/role/dev-role-iam[0m


In [12]:
vault write auth/aws/config/client iam_server_id_header_value=vault.example.com

[0mSuccess! Data written to: auth/aws/config/client[0m


In [13]:
vault read auth/aws/role/dev-role-iam

[0mKey                               Value
---                               -----
allow_instance_migration          false
auth_type                         iam
bound_account_id                  []
bound_ami_id                      []
bound_ec2_instance_id             <nil>
bound_iam_instance_profile_arn    []
bound_iam_principal_arn           [arn:aws:iam::451256726182:*]
bound_iam_principal_id            []
bound_iam_role_arn                []
bound_region                      []
bound_subnet_id                   []
bound_vpc_id                      []
disallow_reauthentication         false
inferred_aws_region               n/a
inferred_entity_type              n/a
policies                          [totp-policy]
resolve_aws_unique_ids            true
role_id                           2ae8d16d-4982-e055-f695-43b6756efbbb
role_tag                          n/a
token_bound_cidrs                 []
token_explicit_max_ttl            0s
token_max_ttl                     0s
token_no_defaul

### Login using AWS IAM

In [14]:
AWS_ACCESS_KEY_ID=$(cat /tmp/aws_id); AWS_SECRET_ACCESS_KEY=$(cat /tmp/aws_secret);  \
aws sts get-caller-identity

{[mh=
    "UserId": "AIDAWSEH7GKTD4E53KCTO",[m
    "Account": "451256726182",[m
    "Arn": "arn:aws:iam::451256726182:user/raymond"[m
}[m


In [43]:
# login as raymond
vault login -method=aws header_value=vault.example.com \
  role=dev-role-iam \
  aws_access_key_id=$(cat /tmp/aws_id) \
  aws_secret_access_key=$(cat /tmp/aws_secret)

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                      Value
---                      -----
token                    s.LBvWOcW6fItVRospUAutMjES
token_accessor           XswLfqIzDHejgjSftYJm4PkP
token_duration           15m
token_renewable          true
token_policies           ["default" "totp-policy"]
identity_policies        []
policies                 ["default" "totp-policy"]
token_meta_account_id    451256726182
token_meta_auth_type     iam
token_meta_role_id       2ae8d16d-4982-e055-f695-43b6756efbbb[0m


In [44]:
VAULT_TOKEN=root vault token lookup s.LBvWOcW6fItVRospUAutMjES

[0mKey                 Value
---                 -----
accessor            XswLfqIzDHejgjSftYJm4PkP
creation_time       1616857547
creation_ttl        15m
display_name        aws-raymond
entity_id           20da6636-b34a-3b66-3eb6-55c17026140b
expire_time         2021-03-27T23:20:47.591113+08:00
explicit_max_ttl    0s
id                  s.LBvWOcW6fItVRospUAutMjES
issue_time          2021-03-27T23:05:47.591121+08:00
meta                map[account_id:451256726182 auth_type:iam role_id:2ae8d16d-4982-e055-f695-43b6756efbbb]
num_uses            0
orphan              true
path                auth/aws/login
policies            [default totp-policy]
renewable           true
ttl                 14m48s
type                service[0m


In [18]:
#use entity_id from the (userpass) previous output
VAULT_TOKEN=root vault write sys/mfa/method/totp/my_totp/admin-generate \
    entity_id=20da6636-b34a-3b66-3eb6-55c17026140b

[0mKey        Value
---        -----
barcode    iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAG0ElEQVR4nOydwW4bMQxE6yL//8vpYS8qWBKP5LqZNeadgrUsyR6QoKhp/fX9/csI8funN2D+xoKIYUHEsCBiWBAxLIgYFkQMCyKGBRHDgohhQcSwIGJYEDEsiBgWRAwLIoYFEcOCiGFBxPiiA18vOjK7pb9muF6Nf8f3xhVn761dA/VI/moNdy44QsSwIGK8aDCdiaI7pk4+ka41qd5bTDubRBQT4+w7yXCEiGFBxMBV1kmWgrIxMVHwJBNXyaosvjpJO91URr4TgiNEDAsixihlzYgJ52RWC9WHwetJfSCtk1U25/ss6o4QMSyIGP8lZcUKhNckvJrKqGcm7+WdsT2OEDEsiBijlNUN21l9MjvQ1XXRXU37bLd7HCFiWBAxmimL35Fd1McxfmQjh8r6OZ+zu1b3O6lxhIhhQcTAKWtfRfDDHbcl8PF1PcYTVPb3XThCxLAgYoxMDnsbQNeLlb233sPmXvIckx0n+ffAcYSIYUHEaFZZ3du3E5JASHIjKYUbKs6Zs+f13WL3ZrPGESKGBRFj4cviXvTzSddVVa8+63HxFetV6v3HBEtwhIhhQcRopqy6wqnDmVRl9X1f9neWAHljPxI9XfyzdB3yJ44QMSyIGKMbwyw18U4UqcGyd9Uur42JIns1O2bWu3Iv6yOwIGLg9vs/3oqb27yFzpMVqe64EXTzWfg8BEeIGBZEjOaN4QVJQdyiyVv3kW4C4f0ofoDt7qrGESKGBRFj5MsilQ83WPK2fHYzOEt3pBfH6zRu5KhxhIhhQcRYuN/3DXZCN4nV88xmJnXaXR54R4gYFkSMxY3hRddgGWcjjeuNiYLUTvETZfYGUi91v4cTR4gYFkSMUfu92xGK781Gkh4RsT3wY13X4Dqr6DiOEDEsiBg3/U8

**Note**: the above barcode is a .png file that looks like the picture below.  Use
`echo "<insert barcode here>" | base64 --decode > /tmp/barcode.png` 

<img src="images/barcode.png" width=100>

### Use Google Authenticator
Open Google Authenticator, click + (plus sign) and press "Scan barcode".   
<img src="images/authenticator1.png" width=100>
<img src="images/authenticator2.png" width=100>

### Demo - get a secret

In [45]:
unset VAULT_TOKEN;vault login s.LBvWOcW6fItVRospUAutMjES

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                      Value
---                      -----
token                    s.LBvWOcW6fItVRospUAutMjES
token_accessor           XswLfqIzDHejgjSftYJm4PkP
token_duration           14m37s
token_renewable          true
token_policies           ["default" "totp-policy"]
identity_policies        []
policies                 ["default" "totp-policy"]
token_meta_account_id    451256726182
token_meta_auth_type     iam
token_meta_role_id       2ae8d16d-4982-e055-f695-43b6756efbbb[0m


In [46]:
vault print token; vault kv get secret1/web01

[0ms.LBvWOcW6fItVRospUAutMjES[0m
[91mError reading secret1/web01: Error making API request.

URL: GET http://127.0.0.1:8200/v1/secret1/web01
Code: 403. Errors:

* 1 error occurred:
	* permission denied

[0m


**Note**: You need to use MFA.  Enter 6 digits OTP from (Google) Authenticator.

vault print token;  vault read -mfa my_totp:050103 secret1/web01

**Note**: using the wrong OTP results in `permission denied`

In [48]:
vault print token;  vault read -mfa my_totp:444555 secret1/web01

[0ms.LBvWOcW6fItVRospUAutMjES[0m
[91mError reading secret1/web01: Error making API request.

URL: GET http://127.0.0.1:8200/v1/secret1/web01
Code: 403. Errors:

* 1 error occurred:
	* permission denied

[0m


---
### TOTP Secret Engine

In [23]:
#one time
VAULT_TOKEN=root vault secrets enable totp

[0mSuccess! Enabled the totp secrets engine at: totp/[0m


### use the "otpauth://totp/Vault:..." from above

In [25]:
VAULT_TOKEN=root vault write totp/keys/my-key \
    url="otpauth://totp/Vault:20da6636-b34a-3b66-3eb6-55c17026140b?algorithm=SHA256&digits=6&issuer=Vault&period=30&secret=RE7JLHAEHQK5PEEICPCNCIZMKKX74LJPNK67TKCIC7KYNFYK"

[0mSuccess! Data written to: totp/keys/my-key[0m


In [31]:
VAULT_TOKEN=root vault read totp/code/my-key

[0mKey     Value
---     -----
code    484539[0m


In [32]:
VAULT_TOKEN=s.cqIPtABBbx73HdYhx4e6hAmF vault read secret1/web01

[91mError reading secret1/web01: Error making API request.

URL: GET http://127.0.0.1:8200/v1/secret1/web01
Code: 403. Errors:

* 1 error occurred:
	* permission denied

[0m


In [33]:
VAULT_TOKEN=s.cqIPtABBbx73HdYhx4e6hAmF vault read -mfa my_totp:484539 secret1/web01

[0mKey                 Value
---                 -----
refresh_interval    768h
ip                  192.168.1.191
password            passw0rd123
username            arthur[0m


In [34]:
VAULT_TOKEN=root vault write totp/code/my-key code=484539

[0mKey      Value
---      -----
valid    true[0m


In [35]:
VAULT_TOKEN=root vault write totp/code/my-key code=484530

[0mKey      Value
---      -----
valid    false[0m


&nbsp;

---
#### Thank you.
<img src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=100 align="left">