Project

add-vault-tokens

0.0
No commit activity in last 3 years
No release in over 3 years
add-vault-tokensfaradayio/add-vault-tokensHomepageDocumentationSource CodeBug Tracker
Given a master vault token, issue short-lived, per-application tokens to each app in a docker-compose.yml file, restricting each app the to corresponding security policy.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
23,035
Stars
6
Forks
1
Watchers
11
 Releases
Current version
0.2.6
Total releases
8
First release
2015-10-26
Latest release
2016-04-21
 Issues
Open Issues
1
Closed Issues
0
Total Issues
1
Issue Closure Rate
0%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2015-12-20
Reverse Dependencies
0

 Dependencies

Development

bundler
~> 1.10
rake
~> 10.0
rspec
>= 0

Runtime

vault
~> 0.4.0
 Project Readme

add-vault-tokens

This is a short script for use with vault and docker-compose. Given a docker-compose.yml file and a VAULT_MASTER_TOKEN as input, this script will generate a new, limited vault token for each application described in the docker-compose.yml file.

You can install this as:

gem install add-vault-tokens

Usage

Assume you have a docker-compose.yml containing:

app:
  image: "example/app"

service:
  image: "example/service"

First, you need to create a security policy master-token.hcl for the master token:

# Mandatory for all policies.
path "auth/token/lookup-self" {
  policy = "read"
}

# Allow listing all available policies, so we can decide which child tokens
# to generate.
path "sys/policy" {
  policy = "sudo"
}

# Allow creation of child tokens.
path "auth/token/create" {
  policy = "write"
}

# Allow renewal of this token.
#
# SECURITY - HACK - We can't just allow renewal via `renew-self` in 0.3, so
# allow renewal of _any_ token as the next best substitute.
path "auth/token/renew/*" {
  policy = "sudo"
}

This can be loaded using:

vault policy-write master-token master-token.hcl

Then you need to define two new policies, app and service, specifying which secrets can be accessed by each container. Once this is done, you can create your VAULT_MASTER_TOKEN for use with add-vault-tokens:

vault token-create -policy=master-token -policy=app -policy=service

Then you run add-vault-tokens as follows:

# The URL of your vault server.
export VAULT_ADDR=https://...

# The master token you just generated.
export VAULT_MASTER_TOKEN=...

# Generate tokens
add-vault-tokens docker-compose.yml

This will update docker-compose.yml to include new environment variables:

app:
  image: "example/app"
  environment:
    VAULT_ADDR="https://..."
    # A new token with policy "app":
    VAULT_TOKEN="..."

service:
  image: "example/service"
  environment:
    VAULT_ADDR="https://..."
    # A new token with policy "service":
    VAULT_TOKEN="..."

If a VAULT_ENV environment variable is present, it will also be added to the docker-compose.yml file, and the policy names will be prefixed by $VAULT_ENV-.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/faradayio/add-vault-tokens.

License

The gem is available as open source under the terms of the MIT License.