No commit activity in last 3 years
No release in over 3 years
Eyaml plugin for Vault transit secrets engine
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Runtime

 Project Readme

Hiera-Eyaml-Vault

Introduction

This library is a plugin to hiera-eyaml that enabled encryption and decryption using the Transit Secrets Engine of Vault.

Installation

Follow the instructions provided to install and configure hiera-eyaml, this extension can be installed as a rubygem

$ gem install hiera-eyaml-vault

Configuration

Vault setup

In order to use Vault as a encryption as a service with this plugin you need to configure the service on the Vault server in order to enable the transit engine and provide hiera-eyaml-vault with credentials to use to authenticate against the vault service. The following steps should be run on your Vault server.

Enable the transit engine

$ vault secrets enable transit

Create a key for Hiera to encrypt and decrypt data

$ vault write -f transit/keys/hiera

Create a policy for Hiera

Edit a file called hiera_policy.hcl with the following contents

path "transit/*" {
  capabilities = [ "read", "list", "create", "update", "delete" ]
}

Next, add the policy with the following command

$ vault policy write hiera hiera_policy.hcl

Create an Approle to use the Hiera policy

Enable the approle auth method

$ vault auth enable approle

Create the approle

$ vault write auth/approle/role/hiera token_ttl=10m policies=hiera

Copy the credentials

Hiera-eyaml-vault requires the role_id and secret_id to be configured, obtain these by issuing the following commands

$ vault read auth/approle/role/hiera/role-id
$ vault write -f auth/approle/role/hiera/secret-id

Configuring hiera-eyaml-vault

Options

See the documentation for Hiera-Eyaml for integrating Hiera with Eyaml, and how to enable encrypting plugins. The following options are configurable for this plugin;

  • vault_addr: URL of the Vault server to connect to (default https://127.0.0.1:8200)
  • role_id: Role ID to use to authenticate (see above)
  • secret_id: Secret ID to use to authenticate (see above)
  • use_ssl: Boolean, Whether to use SSL to connect to vault (default true)
  • ssl_verify: Boolean, Whether to verify SSL certs when connecting to vault (default true)
  • keyname: Name of the vault transit key to use (see above). (default: hiera)
  • api_version: Version of the vault API to use (default: 1)

Example

cat ~/.eyaml/config.yaml

---
encrypt_method: vault
vault_addr: https://vault.corp.com:8200
vault_role_id: 987ad87-77dd-339a-787b-798793872a
vault_secret_id: 66255f7-225c-112a-b565-99873626f3
vault_ssl_verify: false

Usage

Once configured the plugin can be used as normal with hiera-eyaml, the tagname VAULT will be used to identify vault encrypted strings, eg:

$ eyaml encrypt -s foobar
string: ENC[VAULT,dmF1bHQ6djE6WlNqb3BzZUZhZ044b3NnT3hwRG9Jb1JzYVFwbHVkRVo3QTZreDlCMmRyMEI3dz09]

OR

block: >
    ENC[VAULT,dmF1bHQ6djE6WlNqb3BzZUZhZ044b3NnT3hwRG9Jb1JzYVFwbHVkRVo3QTZr
    eDlCMmRyMEI3dz09]

Maintainer

Written by Craig Dunn craig@craigdunn.org

With thanks to Sixt