secretsengine

package module
v0.0.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 18, 2022 License: Apache-2.0 Imports: 9 Imported by: 0

README

HashiCorp Vault custom secrets engine for Google Apigee

Go Reference

Apigee, part of Google Cloud, helps companies design, secure, and scale application programming interfaces (APIs).

Apigee apps contain a key and secret (credentials), which are used to obtain an OAuth2 access token for API access. These credentials have an expiry, by default never. Instead of apps using static, long-lived credentials, the Vault Apigee secrets engine generates dynamic, short-lived credentials and enables frequent rotation.

Credentials can be generated via the Vault CLI and REST API.

Planned Features

  • Support for Apigee Edge (in addition to Apigee X)

Prerequisites

Git: Clone Repo (Optional)

git clone https://github.com/bstraehle/vault-plugin-secrets-apigee.git
cd vault-plugin-secrets-apigee

Go: Build / Test (Optional)

export GOOS=linux
export GOARCH=amd64

go build -o vault/plugins/vault-plugin-secrets-apigee cmd/vault-plugin-secrets-apigee/main.go
go test -v

Vault CLI: Register Plugin

  • Add plugin directory to server configuration
cat > vault/server.hcl << EOF
plugin_directory = "$(pwd)/vault/plugins"
api_addr         = "http://127.0.0.1:8200"

listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = "true"
}

storage "file" {
  path = "/tmp/vault-data"
}
EOF
  • Start server
vault server -config=vault/server.hcl -log-level=trace
  • In new terminal, initialize and unseal Vault
export VAULT_ADDR='http://127.0.0.1:8200'

vault operator init
vault operator unseal
  • Register plugin
SHA256=$(sha256sum vault/plugins/vault-plugin-secrets-apigee | cut -d ' ' -f1)

vault plugin register -sha256=$SHA256 secret vault-plugin-secrets-apigee
vault plugin info secret vault-plugin-secrets-apigee

Key        Value
---        -----
args       []
builtin    false
command    vault-plugin-secrets-apigee
name       vault-plugin-secrets-apigee
sha256     3b30041a7e683317a442e8b6336c3c7e0e8c9079221b11431db7d700ef7d5f00

Google Cloud CLI: Obtain Access Token

gcloud auth login

export APIGEE_OAUTH_TOKEN=$(gcloud auth print-access-token)
export APIGEE_HOST=https://apigee.googleapis.com

export APIGEE_ORG_NAME=<APIGEE_ORG_NAME>
export APIGEE_DEVELOPER_EMAIL=<APIGEE_DEVELOPER_EMAIL>
export APIGEE_APP_NAME=<APIGEE_APP_NAME>
export APIGEE_API_PRODUCTS=<APIGEE_API_PRODUCTS>

Vault CLI: Usage

  • Enable secrets engine
vault secrets enable -path=apigee -description="apigee secrets engine" vault-plugin-secrets-apigee

Success! Enabled the vault-plugin-secrets-apigee secrets engine at: apigee/
  • Write config
vault write apigee/config host=$APIGEE_HOST oauth_token=$APIGEE_OAUTH_TOKEN

Success! Data written to: apigee/config
  • Read config (optional)
vault read apigee/config

Key     Value
---     -----
host    <APIGEE_HOST>
  • Delete config (optional)
vault delete apigee/config

Success! Data deleted (if it existed) at: apigee/config
  • Write role
vault write apigee/roles/test \
org_name=$APIGEE_ORG_NAME \
developer_email=$APIGEE_DEVELOPER_EMAIL \
app_name=$APIGEE_APP_NAME \
api_products=$APIGEE_API_PRODUCTS \
ttl=24h

Success! Data written to: apigee/roles/test
  • Read role (optional)
  vault read apigee/roles/test

Key                Value
---                -----
api_products       <APIGEE_API_PRODUCTS>
app_name           <APIGEE_APP_NAME>
developer_email    <APIGEE_DEVELOPER_EMAIL>
org_name           <APIGEE_ORG_NAME>
ttl                24h
  • Delete role (optional)
vault delete apigee/roles/test

Success! Data deleted (if it existed) at: apigee/roles/test
  • Read creds
vault read apigee/creds/test

Key                Value
---                -----
lease_id           <LEASE_ID>
lease_duration     24h
lease_renewable    false
api_products       <APIGEE_API_PRODUCTS>
app_name           <APIGEE_APP_NAME>
credentials        RkRJTUdqbXJ1dDRmY2hTdUdKaEZETVZhNDAwN2MwM3NXQThEVEpobnJ3NTk3MmkzOkp2bXNmWmFhak5vcVQ2RWk3WEFZbVNUc1RBOEFQU1dkdTlKeFlLdFptRW9uWjg2MmpLZzNST2x1eHI2QmI3MTA=
developer_email    <APIGEE_DEVELOPER_EMAIL>
key                FDIMGjmrut4fchSuGJhFDMVa4007c03sWA8DTJhnrw5972i3
org_name           <APIGEE_ORG_NAME>
secret             JvmsfZaajNoqT6Ei7XAYmSTsTA8APSWdu9JxYKtZmEonZ862jKg3ROluxr6Bb710
  • Revoke lease (optional)
vault lease revoke <LEASE_ID>

All revocation operations queued successfully!
  • Disable secrets engine (optional)
vault secrets disable apigee

Success! Disabled the secrets engine (if it existed) at: apigee/

References

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Factory 

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

Types

This section is empty.

Source Files

View all Source files

Directories

Path Synopsis
cmd
vault-plugin-secrets-apigee

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.