-
Notifications
You must be signed in to change notification settings - Fork 467
/
vault-config.yml
353 lines (330 loc) · 13 KB
/
vault-config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
# Allows creating policies in Vault which can be used later on in roles
# for the Kubernetes based authentication.
# See https://www.vaultproject.io/docs/concepts/policies.html for more information.
policies:
- name: allow_secrets
rules: path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# The auth block allows configuring Auth Methods in Vault.
# See https://www.vaultproject.io/docs/auth/index.html for more information.
auth:
- type: kubernetes
# If you want to configure with specific kubernets service account instead of default service account
# https://www.vaultproject.io/docs/auth/kubernetes.html
# config:
# token_reviewer_jwt: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9....
# kubernetes_ca_cert: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# kubernetes_host: https://192.168.64.42:8443
# Allows creating roles in Vault which can be used later on for the Kubernetes based
# authentication.
# See https://www.vaultproject.io/docs/auth/kubernetes.html#creating-a-role for
# more information.
roles:
# Allow every pod in the default namespace to use the secret kv store
- name: default
bound_service_account_names: default
bound_service_account_namespaces: default
policies: allow_secrets
ttl: 1h
# Allows creating team mappings in Vault which can be used later on for the GitHub
# based authentication.
# See https://www.vaultproject.io/docs/auth/github.html#configuration for
# more information.
- type: github
# Make the auth provider visible in the web ui
# See https://www.vaultproject.io/api/system/auth.html#config for more
# information.
options:
listing_visibility: "unauth"
config:
organization: bank-vaults
map:
# Map the bank-vaults dev team on GitHub to the dev policy in Vault
teams:
dev: dev
# Map myself to the root policy in Vault
users:
bonifaido: allow_secrets
# Allows configuring roles for Vault's token based authentication.
# See https://www.vaultproject.io/docs/auth/token.html for
# more information.
- type: token
roles:
- name: prometheus-metrics
allowed_policies:
- prometheus-metrics
disallowed_policies:
- Administrator
- DeveloperFullAccess
orphan: true
# Allows creating roles in Vault which can be used later on for AWS
# IAM based authentication.
# See https://www.vaultproject.io/docs/auth/aws.html for
# more information.
- type: aws
# Make the auth provider visible in the web ui
# See https://www.vaultproject.io/api/system/auth.html#config for more
# information.
options:
listing_visibility: "unauth"
config:
access_key: ${env "AWS_ACCESS_KEY_ID"} # or you can put the credential literals directly here
secret_key: ${env "AWS_SECRET_ACCESS_KEY"}
iam_server_id_header_value: vault-dev.example.com # consider setting this to the Vault server's DNS name
crossaccountrole:
# Add cross account number and role to assume in the cross account
# https://www.vaultproject.io/api/auth/aws/index.html#create-sts-role
- sts_account: 12345671234
sts_role: arn:aws:iam::12345671234:role/crossaccountrole
roles:
# Add roles for AWS instances or principals
# See https://www.vaultproject.io/api/auth/aws/index.html#create-role
- name: dev-role-iam
bound_iam_principal_arn: arn:aws:iam::123456789012:role/dev-vault
policies: allow_secrets
period: 1h
- name: cross-account-role
bound_iam_principal_arn: arn:aws:iam::12345671234:role/crossaccountrole
policies: allow_secrets
period: 1h
# Allows creating group mappings in Vault which can be used later on for the LDAP
# based authentication.
# See https://www.vaultproject.io/docs/auth/ldap.html#configuration for
# more information.
# Start an LDAP testing server: docker run -it --rm -p 389:389 -e LDAP_TLS=false --name ldap osixia/openldap
# Start an LDAP admin server: docker run -it --rm -p 6443:443 --link ldap:ldap -e PHPLDAPADMIN_LDAP_HOSTS=ldap -e PHPLDAPADMIN_LDAP_CLIENT_TLS=false osixia/phpldapadmin
- type: ldap
description: LDAP directory auth.
# Make the auth provider visible in the web ui
# See https://www.vaultproject.io/api/system/auth.html#config for more
# information.
options:
listing_visibility: "unauth"
config:
url: ldap://localhost
binddn: "cn=admin,dc=example,dc=org"
bindpass: "admin"
userattr: uid
userdn: "ou=users,dc=example,dc=org"
groupdn: "ou=groups,dc=example,dc=org"
groups:
# Map the bank-vaults dev team on GitHub to the dev policy in Vault
developers:
policies: allow_secrets
# Map myself to the allow_secrets policy in Vault
users:
bonifaido:
groups: developers
policies: allow_secrets
# The okta auth method allows authentication using Okta and user/password credentials.
# See https://www.vaultproject.io/docs/auth/okta.html for more information.
- type: okta
# Make the auth provider visible in the web ui
# See https://www.vaultproject.io/api/system/auth.html#config for more
# information.
options:
listing_visibility: "unauth"
config:
organization: bank-vaults
base_url: okta.com
# The cert auth method allows authentication using SSL/TLS client certificates
# which are either signed by a CA or self-signed.
# See https://www.vaultproject.io/docs/auth/cert.html for more information.
- type: cert
config:
disable_binding: true
roles:
- name: jenkins
policies: jenkins
display_name: jenkins
certificate: |
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
ttl: "3600"
# The azure auth method allows authentication against Vault using Azure Active Directory credentials.
# See https://www.vaultproject.io/docs/auth/azure.html for more information.
- type: azure
config:
tenant_id: 00000000-0000-0000-0000-000000000000
resource: https://vault-dev.example.com
client_id: 00000000-0000-0000-0000-000000000000
client_secret: 00000000-0000-0000-0000-000000000000
roles:
# Add roles for azure identities
# See https://www.vaultproject.io/api/auth/azure/index.html#create-role
- name: dev-mi
policies: allow_secrets
bound_subscription_ids:
- "00000000-0000-0000-0000-000000000000"
bound_service_principal_ids:
- "00000000-0000-0000-0000-000000000000"
# The userpass auth method allows authentication against Vault using Vault username/password credentials.
# See https://www.vaultproject.io/docs/auth/userpass.html for more information.
- type: userpass
users:
- username: admin
password: admin
token_policies: allow_secrets
# Allows configuring Secrets Engines in Vault (KV, Database and SSH is tested,
# but the config is free form so probably more is supported).
# See https://www.vaultproject.io/docs/secrets/index.html for more information.
secrets:
# This plugin stores arbitrary secrets within the configured physical storage for Vault.
# See https://www.vaultproject.io/docs/secrets/kv/index.html for
# more information.
- path: secret
type: kv
description: General secrets.
options:
version: 2
# Mounts kv with extra configuration
- path: leaderelection
type: kv
description: kv secret engine used for leader election logic
options:
version: 2
configuration:
config:
- cas_required: true
max_versions: 1
# Mounts non-default plugin's path
- path: ethereum-gateway
type: plugin
plugin_name: ethereum-plugin
description: Immutability's Ethereum Wallet
# This plugin stores database credentials dynamically based on configured roles for
# the MySQL database.
# See https://www.vaultproject.io/docs/secrets/databases/mysql-maria.html for
# more information.
- type: database
description: MySQL Database secret engine.
configuration:
config:
- name: my-mysql
plugin_name: "mysql-database-plugin"
connection_url: "{{username}}:{{password}}@tcp(127.0.0.1:3306)/"
allowed_roles: [pipeline]
username: ${env "ROOT_USERNAME"} # Example how to read environment variables
password: ${env "ROOT_PASSWORD"}
rotate: true # Ask bank-vaults to ask Vault to rotate the root credentials
roles:
- name: pipeline
db_name: my-mysql
creation_statements: "GRANT ALL ON *.* TO '{{name}}'@'%' IDENTIFIED BY '{{password}}';"
default_ttl: "10m"
max_ttl: "24h"
# Create a named Vault role for signing SSH client keys.
# See https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html#client-key-signing for
# more information.
- type: ssh
path: ssh-client-signer
description: SSH Client Key Signing.
configuration:
config:
- name: ca
generate_signing_key: "true"
roles:
- name: my-role
allow_user_certificates: "true"
allowed_users: "*"
key_type: "ca"
default_user: "ubuntu"
ttl: "24h"
# The PKI secrets engine generates X.509 certificates
# See https://www.vaultproject.io/docs/secrets/pki/index.html for more information
- type: pki
description: Vault PKI Backend
config:
default_lease_ttl: 168h
max_lease_ttl: 720h
configuration:
config:
- name: urls
issuing_certificates: https://vault.default:8200/v1/pki/ca
crl_distribution_points: https://vault.default:8200/v1/pki/crl
root/generate:
- name: exported
common_name: vault.vault
create_only: true
save_to: "secret/data/pki/ca" # save private_key to a kv version 2 location
roles:
- name: default
allowed_domains: localhost,pod,svc,default
allow_subdomains: true
generate_lease: true
ttl: 30m
# The AWS secrets engine generates AWS access credentials dynamically based on IAM policies.
# See https://www.vaultproject.io/docs/secrets/aws/index.html for more information
- type: aws
description: AWS secret engine.
configuration:
config/root:
- access_key: ${env "AWS_ACCESS_KEY_ID"} # or you can put the credential literals directly here
secret_key: ${env "AWS_SECRET_ACCESS_KEY"}
# Uncomment for root credential rotation
# see: https://www.vaultproject.io/api/secret/aws/index.html#rotate-root-iam-credentials
# rotate: true
roles:
- name: simple-user
credential_type: iam_user
policy_arns:
- arn:aws:iam::123456789012:policy/UsersManageOwnCredentials
# The Google Cloud Vault secrets engine dynamically generates Google Cloud service account keys and
# OAuth tokens based on IAM policies.
# See https://www.vaultproject.io/docs/secrets/gcp/index.html for more information
- type: gcp
config:
credentials: ${env `VAULT_GCP_SA_CREDENTIALS`}
description: GCP secret engine.
configuration:
roleset:
- name: kubernetes-engine-admin
secret_type: access_token
project: my-project
token_scopes: https://www.googleapis.com/auth/cloud-platform
bindings: |
resource "//cloudresourcemanager.googleapis.com/projects/my-project" {
roles = [ "roles/container.admin" ]
}
# Registers a new plugin in Vault's plugin catalog. "plugin_directory" setting should be set it Vault server configuration
# and plugin binary should be present in plugin directory. Also, for some plugins readOnlyRootFilesystem Pod Security Policy
# should be disabled to allow RPC communication between plugin and Vault server via Unix socket
# See https://www.vaultproject.io/api/system/plugins-catalog.html and
# https://github.com/hashicorp/go-plugin/blob/master/docs/internals.md for details.
plugins:
- plugin_name: ethereum-plugin
command: ethereum-vault-plugin --ca-cert=/vault/tls/client/ca.crt --client-cert=/vault/tls/server/server.crt --client-key=/vault/tls/server/server.key
sha256: 62fb461a8743f2a0af31d998074b58bb1a589ec1d28da3a2a5e8e5820d2c6e0a
type: secret
# Allows configuring Audit Devices in Vault (File, Syslog, Socket).
# See https://www.vaultproject.io/docs/audit/ for more information.
audit:
- type: file
description: "File based audit logging device"
options:
file_path: /tmp/vault.log
# Allows writing some secrets to Vault (useful for development purposes).
# See https://www.vaultproject.io/docs/secrets/kv/index.html for more information.
startupSecrets:
- type: kv
path: secret/data/accounts/aws
data:
data:
AWS_ACCESS_KEY_ID: secretId
AWS_SECRET_ACCESS_KEY: s3cr3t
groups:
- name: admin
policies:
- allow_secrets
metadata:
privileged: true
type: external
group-aliases:
- name: admin
mountpath: kubernetes
group: admin