vault-fastly-secret-engine

command module
v0.0.0-...-f31989a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 9, 2021 License: Apache-2.0 Imports: 5 Imported by: 0

README

vault-fastly-secret-engine

This plugin will allow you to create a secret backend that will use the Fastly API to generate dynamic short lived Fastly token. Usage can be restricted using the highly customizable Vault ACL system.

Setup

Most secrets engines must be configured in advance before they can perform their functions. These steps are usually completed by an operator or configuration management tool.

  1. Register the plugin with the catalog

    $ SHASUM=$(shasum -a 256 vault-fastly-secret-engine | cut -d " " -f1)
$ vault write sys/plugins/catalog/vault-fastly-secret-engine sha_256="$SHASUM" command="vault-fastly-secret-engine" 
Success! Data written to: sys/plugins/catalog/vault-fastly-secret-engine

  2. Enable the Fastly secrets engine:

    $ vault secrets enable -path="fastly" -plugin-name="vault-fastly-secret-engine" plugin
Success! Enabled the vault-fastly-secret-engine plugin at: fastly/

    By default, the secrets engine will mount at the name of the engine. To enable the secrets engine at a different path, use the -path argument.

  3. Configure the backend with user credentials that will be able to interact with the Fastly API and create tokens.

    $ vault write fastly/config username="sam" password="test" sharedSecret="123"
Success! Data written to: fastly/config

    The sharedSecret corresponds to the shared secret key produced by fastly when configuring MFA login. This will be used to generate the Fastly tokens.

Usage

After the secrets engine is configured and a user/machine has a Vault token with the proper permission, it can generate tokens.

  1. Generate a new fastly token by writing to the /fastly/generate endpoint with the scope of the desired token as well as the service ID:

    $ vault write fastly/generate scope="global" service_id="Xj62345gmTix9gh67U"
Key      Value
---      -----
token    d118a65cdfe314202cf969e1fb2e8afc

    NOTE you can provide multiple service IDs by using a comma delimited string.

    $ vault write fastly/generate scope="global" service_id="Xj62345gmTix9gh67U,45MDE6457BT4IRZdf7z"
Key      Value
---      -----
token    f2732f475773ab0d0bce1cd371d72b48

    Using ACLs, it is possible to restrict the type of tokens that can be generated. Any combination of scope and service ID can be used

Local Development

Build the code
GOOS=linux GOARCH=amd64 go build
docker build -t vault-plugin .
docker run --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:1234' -p 1234:1234 vault-plugin
Configure the local vault

In a second terminal window...

export VAULT_ADDR='http://0.0.0.0:1234'
vault login myroot
SHASUM=$(shasum -a 256 vault-fastly-secret-engine | cut -d " " -f1)
vault write sys/plugins/catalog/vault-fastly-secret-engine   sha_256="$SHASUM"   command="vault-fastly-secret-engine"
vault secrets enable -path="fastly" -plugin-name="vault-fastly-secret-engine" plugin
vault write fastly/config username="sam" password="test" sharedSecret="123"

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.