Retracted
README
¶
HashiCorp Vault custom secrets engine for Apigee
Apigee, part of Google Cloud, helps companies design, secure, and scale application programming interfaces (APIs).
Apigee apps contain a consumer key and consumer secret (credentials), which are used to obtain an OAuth2 access token for API access. These credentials have an expiry, by default never. Instead of apps using static, long-lived credentials, the Vault Apigee secrets engine generates dynamic, short-lived credentials, aka ephemeral credentials, enabling frequent rotation.
Credentials can be generated via the Vault CLI and REST API.
Use Case
Prerequisites
- Git (Optional)
- Go (Optional)
- HashiCorp Vault
- Google Cloud CLI
- Google Apigee X
Git: Clone Repo (Optional)
git clone https://github.com/bstraehle/vault-plugin-secrets-apigee.git
cd vault-plugin-secrets-apigee
Google Cloud CLI: Obtain Access Token
gcloud auth login
export APIGEE_OAUTH_TOKEN=$(gcloud auth print-access-token)
Shell: Configure Environment
export APIGEE_IS_MOCK=0
export APIGEE_HOST=<APIGEE_HOST>
export APIGEE_ORG_NAME=<APIGEE_ORG_NAME>
export APIGEE_DEVELOPER_EMAIL=<APIGEE_DEVELOPER_EMAIL>
export APIGEE_APP_NAME=<APIGEE_APP_NAME>
export APIGEE_API_PRODUCTS=<APIGEE_API_PRODUCTS>
Go: Build / Test (Optional)
export GOOS=linux
export GOARCH=amd64
go build -o vault/plugins/vault-plugin-secrets-apigee cmd/vault-plugin-secrets-apigee/main.go
go test -v
Vault CLI: Register Plugin
- Add plugin directory to server configuration
cat > vault/server.hcl << EOF
plugin_directory = "$(pwd)/vault/plugins"
api_addr = "http://127.0.0.1:8200"
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = "true"
}
storage "file" {
path = "/tmp/vault-data"
}
EOF
- Start server
vault server -config=vault/server.hcl -log-level=trace
- In new terminal, initialize and unseal Vault
export VAULT_ADDR='http://127.0.0.1:8200'
vault operator init
vault operator unseal
- Register plugin
SHA256=$(sha256sum vault/plugins/vault-plugin-secrets-apigee | cut -d ' ' -f1)
vault plugin register -sha256=$SHA256 secret vault-plugin-secrets-apigee
vault plugin info secret vault-plugin-secrets-apigee
Key Value
--- -----
args []
builtin false
command vault-plugin-secrets-apigee
name vault-plugin-secrets-apigee
sha256 3b30041a7e683317a442e8b6336c3c7e0e8c9079221b11431db7d700ef7d5f00
Vault CLI: Secrets Engine
- Enable secrets engine
vault secrets enable -path=apigee -description="apigee secrets engine" vault-plugin-secrets-apigee
Success! Enabled the vault-plugin-secrets-apigee secrets engine at: apigee/
- Disable secrets engine (optional)
vault secrets disable apigee
Success! Disabled the secrets engine (if it existed) at: apigee/
Vault CLI: Config
- Write config
vault write apigee/config host=$APIGEE_HOST oauth_token=$APIGEE_OAUTH_TOKEN
Success! Data written to: apigee/config
- Read config (optional)
vault read apigee/config
Key Value
--- -----
host <APIGEE_HOST>
- Delete config (optional)
vault delete apigee/config
Success! Data deleted (if it existed) at: apigee/config
Vault CLI: Role
- Write role
vault write apigee/roles/test \
org_name=$APIGEE_ORG_NAME \
developer_email=$APIGEE_DEVELOPER_EMAIL \
app_name=$APIGEE_APP_NAME \
api_products=$APIGEE_API_PRODUCTS \
ttl=24h
Success! Data written to: apigee/roles/test
- Read role (optional)
vault read apigee/roles/test
Key Value
--- -----
api_products <APIGEE_API_PRODUCTS>
app_name <APIGEE_APP_NAME>
developer_email <APIGEE_DEVELOPER_EMAIL>
org_name <APIGEE_ORG_NAME>
ttl 24h
- Delete role (optional)
vault delete apigee/roles/test
Success! Data deleted (if it existed) at: apigee/roles/test
Vault CLI: Usage
- Read creds
vault read apigee/creds/test
Key Value
--- -----
lease_id <LEASE_ID>
lease_duration 24h
lease_renewable false
api_products <APIGEE_API_PRODUCTS>
app_name <APIGEE_APP_NAME>
credentials RkRJTUdqbXJ1dDRmY2hTdUdKaEZETVZhNDAwN2MwM3NXQThEVEpobnJ3NTk3MmkzOkp2x...
developer_email <APIGEE_DEVELOPER_EMAIL>
key FDIMGjmrut4fchSuGJhFDMVa4007c03sWA8DTJhnrw5972i3
org_name <APIGEE_ORG_NAME>
secret JvmsfZaajNoqT6Ei7XAYmSTsTA8APSWdu9JxYKtZmEonZ862jKg3ROluxr6Bb710
- Revoke lease (optional)
vault lease revoke <LEASE_ID>
All revocation operations queued successfully!
Vault API: Usage
- Read creds
curl --header "X-Vault-Token: <VAULT_TOKEN>" http://127.0.0.1:8200/v1/apigee/creds/test | jq
{
"request_id": "<REQUEST_ID>",
"lease_id": "<LEASE_ID>",
"renewable": false,
"lease_duration": 86400,
"data": {
"api_products": "<APIGEE_API_PRODUCTS>",
"app_name": "<APIGEE_APP_NAME>",
"credentials": "RkRJTUdqbXJ1dDRmY2hTdUdKaEZETVZhNDAwN2MwM3NXQThEVEpobnJ3NTk3MmkzOkp2x...",
"developer_email": "<APIGEE_DEVELOPER_EMAIL>",
"key": "FDIMGjmrut4fchSuGJhFDMVa4007c03sWA8DTJhnrw5972i3",
"org_name": "<APIGEE_ORG_NAME>",
"secret": "JvmsfZaajNoqT6Ei7XAYmSTsTA8APSWdu9JxYKtZmEonZ862jKg3ROluxr6Bb710"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
- Revoke lease (optional)
curl --header "X-Vault-Token: <VAULT_TOKEN>" --request POST --data @payload.json \
http://127.0.0.1:8200/v1/sys/leases/revoke
{
"lease_id": "<LEASE_ID>"
}
References
- https://github.com/bstraehle/apigee-client-go
- https://developer.hashicorp.com/vault/docs/plugins/plugin-portal
- https://developer.hashicorp.com/vault/tutorials/custom-secrets-engine
- https://www.credential.net/92b59db2-d79e-4f61-810c-3e400d32f887#gs.c1xdhh
- https://www.credly.com/badges/87d28440-b845-4279-b44c-00f1cfdac049
Documentation
¶
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.