Low commit activity in last 3 years
No release in over a year
Eyaml plugin for Vault transit secrets engine. Forked from https://github.com/crayfishx/hiera-eyaml-vault
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Runtime

 Project Readme

Hiera-Eyaml-Vault

Introduction

This library is a plugin to hiera-eyaml that enabled encryption and decryption using the Transit Secrets Engine of Vault.

Installation

Follow the instructions provided to install and configure hiera-eyaml, this extension can be installed as a rubygem

$ gem install hiera-eyaml-vault

Configuration

Vault setup

In order to use Vault as a encryption as a service with this plugin you need to configure the service on the Vault server in order to enable the transit engine and provide hiera-eyaml-vault with credentials to use to authenticate against the vault service. The following steps should be run on your Vault server.

Enable the transit engine

$ vault secrets enable transit

Create a key for Hiera to encrypt and decrypt data

$ vault write -f transit/keys/hiera

Create a policy for Hiera

Edit a file called hiera_policy.hcl with the following contents

path "transit/*" {
  capabilities = [ "read", "list", "create", "update", "delete" ]
}

Next, add the policy with the following command

$ vault policy write hiera hiera_policy.hcl

Option 1: Create an Approle to use the Hiera policy

Enable the approle auth method

$ vault auth enable approle

Create the approle

$ vault write auth/approle/role/hiera token_ttl=10m policies=hiera

Copy the credentials

Hiera-eyaml-vault approle requires the role_id and secret_id to be configured, obtain these by issuing the following commands

$ vault read auth/approle/role/hiera/role-id
$ vault write -f auth/approle/role/hiera/secret-id

Option 2: Create a Cert Auth to use the Hiera policy

Enable the cert auth method

$ vault auth enable cert

Create the approle

$ $ vault write auth/cert/certs/puppet_servers display_name=puppet_servers policies=hiera certificate=@path_to_public_certificate.pem ttl=3600

Configuring hiera-eyaml-vault

Options

See the documentation for Hiera-Eyaml for integrating Hiera with Eyaml, and how to enable encrypting plugins. The following options are configurable for this plugin;

  • vault_addr: URL of the Vault server to connect to (default https://127.0.0.1:8200)
  • role_id: App Role ID to use to authenticate (see above)
  • secret_id: App Secret ID to use to authenticate (see above)
  • use_ssl: Boolean, Whether to use SSL to connect to vault (default true)
  • ssl_verify: Boolean, Whether to verify SSL certs when connecting to vault (default true)
  • transitname: Name of the vault transit engine to use (default: transit)
  • keyname: Name of the vault transit key to use (see above). (default: hiera)
  • api_version: Version of the vault API to use (default: 1)

The following options are added for the plugin to support certificate-based authentication:

  • client_cert: Path to the client certificate for certificate-based authentication.
  • client_key: Path to the client private key for certificate-based authentication.
  • auth_name: Name used for certificate-based authentication. This should match the name given when adding the certificate to Vault (puppet_servers).

App Auth Example

cat ~/.eyaml/config.yaml

---
encrypt_method: vault
vault_addr: https://vault.corp.com:8200
vault_role_id: 987ad87-77dd-339a-787b-798793872a
vault_secret_id: 66255f7-225c-112a-b565-99873626f3
vault_ssl_verify: false

Cert Auth Example

cat ~/.eyaml/config.yaml

---
encrypt_method: vault
vault_addr: https://vault.corp.com:8200
client_cert: /path/to/client_cert.pem
client_key: /path/to/client_key.pem
auth_name: puppet_servers

Usage

Once configured the plugin can be used as normal with hiera-eyaml, the tagname VAULT will be used to identify vault encrypted strings, eg:

$ eyaml encrypt -s foobar
string: ENC[VAULT,dmF1bHQ6djE6WlNqb3BzZUZhZ044b3NnT3hwRG9Jb1JzYVFwbHVkRVo3QTZreDlCMmRyMEI3dz09]

OR

block: >
    ENC[VAULT,dmF1bHQ6djE6WlNqb3BzZUZhZ044b3NnT3hwRG9Jb1JzYVFwbHVkRVo3QTZr
    eDlCMmRyMEI3dz09]

Maintainer

Written by Craig Dunn craig@craigdunn.org

With thanks to Sixt