Hello everyone,
I am seeking feedback on my current HashiCorp Vault deployment strategy to ensure its correctness and security. Below is a detailed description of my setup and workflow:
Environment Setup:
- ROLE_ID:
role-id
- DEFAULT_TOKEN:
default-initial-token
Vault Policies:
-
Default Token Policy:
# Allow generating tokens path "auth/token/create" { capabilities = ["update"] } # Allow renewing tokens path "auth/token/renew" { capabilities = ["update"] } # Allow looking up the details of the caller's token path "auth/token/lookup-self" { capabilities = ["read"] } # Allow renewing the caller's token path "auth/token/renew-self" { capabilities = ["update"] } # Optionally, allow revoking the caller's token path "auth/token/revoke-self" { capabilities = ["update"] } # Allow lookup of other tokens path "auth/token/lookup" { capabilities = ["read"] }
-
K/V Secret Policy:
# Allow reading data from the "secret/data/demo" path path "secret/data/demo" { capabilities = ["read"] } # Allow reading the list of mounts in the Vault instance path "sys/mounts" { capabilities = ["read"] }
Workflow:
-
Creating the Default Token:
vault token create \ -policy="{{VAULT_ACL_TOKEN_POLICY}}" \ -metadata="user=developer" \ -ttl="1h" \ -renewable=true
-
Renewing the Default Token:
My application includes a scheduled task that periodically renews the default token:vault token renew -increment="1h"
-
Generating Secret ID:
To access K/V data, the application uses the default token to create a Secret ID:vault write auth/approle/role/{{VAULT_APP_ROLE}}/secret-id \ -header="X-Vault-Token: {{DEFAULT_TOKEN}}" \ metadata='{"tag":"development"}' \ ttl=60 \ num_uses=1
-
Generating AppRole Token:
The Secret ID is then used to obtain an AppRole token:vault write auth/approle/login \ -header="X-Vault-Token: {{DEFAULT_TOKEN}}" \ role_id="{{ROLE_ID}}" \ secret_id="{{SECRET_ID}}"
-
Accessing K/V Data:
The AppRole token retrieves K/V data:vault kv get secret/demo
-
Revoking AppRole Token:
Post-data retrieval, the AppRole token is revoked.
Questions:
- Is this workflow optimized for secure and efficient use of Vault?
- Are there any best practices or improvements you would recommend?