New user, first time using Vault. I have been trying to go through tutorial on AppRole (Step 5), but I have not been successful.
I was wondering, don’t we need to enabled kv first? And when we write the key, does it have to be admin, or can it be the same user; I am substituting dgraph for jenkins in the tutorial.
Q1: Thus wouldn’t we have to do something like this below?
vault secrets enable -version=2 -path=secret kv
vault kv put secret/data/dgraph enc_key=123456789012345
Q2: How could I do the above with curl, especially second line.
Q3: How could I get that key, what would the path be? /v1/secret/data/dgraph/enc_key?
It looks like you can’t activate a secret engine via API.
To write secrets via curl, see Create/Update Secret.
To read the secret in your example:
curl \
--header "X-Vault-Token: …" \
http://127.0.0.1:8200/v1/secret/data/data/dgraph
/v1/secret/data/ is the base path to access KV version 2 secrets, data/dgraph is the path of your secret, see Read Secret Version.
You can use the API to enable a secret mount - see here /sys/mounts - HTTP API | Vault | HashiCorp Developer
1 Like
I figured out the solution(s).
These are the steps I did to be aligned with best practices.
- Launch unsealed Vault server
- Enable AppRole Auth and KV Secrets (root token)
- Create the admin role with an attached policy (root token)
- Retrieve the admin token (admin role-id + secret-id)
- Create the app role with an attached policy (admin token)
- Save secrets (admin token)
- Retrieve the app token (app role id + secret-id)
- Verify access for app secrets (app token)
- Launch app with config for role-id + secret-id
What’s missing from the steps in the docs that made things unclear:
- need to create kv secrets
- cannot create secrets using app credentials, as tutorial has read/update priv, this has to be done with admin credentials
- payload of secret for kv v1 vs kv v2
I documented the steps here:
