Debug School: Navuru SrinivasaRao

What is Policy and Process of creating sample Policy?

Navuru SrinivasaRao — Tue, 11 Oct 2022 13:12:05 +0000

Policies

Everything in Vault is path-based, and policies are no exception. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.
Policies are deny by default, so an empty policy grants no permission in the system.
Capabilities

Each path must define one or more capabilities which provide fine-grained control over permitted (or denied) operations. As shown in the examples above, capabilities are always specified as a list of strings, even if there is only one capability.

To determine the capabilities needed to perform a specific operation, the -output-policy flag can be added to the CLI subcommand. For an example, refer to the Print Policy Requirements document section.

The list of capabilities include the following:

create (POST/PUT) - Allows creating data at the given path. Very few parts of Vault distinguish between create and update, so most operations require both create and update capabilities. Parts of Vault that provide such a distinction are noted in documentation.

read (GET) - Allows reading the data at the given path.

update (POST/PUT) - Allows changing the data at the given path. In most parts of Vault, this implicitly includes the ability to create the initial value at the path.

patch (PATCH) - Allows partial updates to the data at a given path.

delete (DELETE) - Allows deleting the data at the given path.

list (LIST) - Allows listing values at the given path. Note that the keys returned by a list operation are not filtered by policies. Do not encode sensitive information in key names. Not all backends support listing.

vault token create -policy=accounting
vault policy write accounting accounting-fixed.hcl

What are types of Tokens and use case of it

Navuru SrinivasaRao — Tue, 11 Oct 2022 13:04:13 +0000

Token Types

As of Vault 1.0, there are two types of tokens: service tokens and batch tokens.
Root Tokens
Periodic Tokens
Service Tokens

Service tokens are what users will generally think of as "normal" Vault tokens. They support all features, such as renewal, revocation, creating child tokens, and more. They are correspondingly heavyweight to create and track.

»Batch Tokens

Batch tokens are encrypted blobs that carry enough information for them to be used for Vault actions, but they require no storage on disk to track them. As a result they are extremely lightweight and scalable, but lack most of the flexibility and features of service tokens.

Token Type Comparison

This reference chart describes the difference in behavior between service and batch tokens.
Service Tokens Batch Tokens
Can Be Root Tokens Yes No
Can Create Child Tokens Yes No
Can be Renewable Yes No
Can be Periodic Yes No
Can have Explicit Max TTL Yes No (always uses a fixed TTL)
Has Accessors Yes No
Has Cubbyhole Yes No
Revoked with Parent (if not orphan) Yes Stops Working
Dynamic Secrets Lease Assignment Self Parent (if not orphan)
Can be Used Across Performance Replication Clusters No Yes (if orphan)
Creation Scales with Performance Standby Node Count No Yes
Cost Heavyweight; multiple storage writes per token creation Lightweight; no storage cost for token creation

Top 5 Commands working with Policy

Navuru SrinivasaRao — Tue, 11 Oct 2022 12:55:07 +0000

vault token create -policy=accounting
vault policy list
vault policy write secrets-mgmt secrets-mgmt.hcl
vault policy read secrets-mgmt
vault write auth/userpass/users/ned token_policies="secrets-mgmt"
vault policy delete accounting

Top 5 Commands working with tokens

Navuru SrinivasaRao — Tue, 11 Oct 2022 12:48:05 +0000

vault token create -policy=default -ttl=60m
vault token create -type=batch -policy=default -ttl=30m
vault token lookup TOKEN_VALUE
vault token lookup -accessor ACCESSOR_VALUE
vault token revoke -accessor ACCESSOR_VALUE
vault token renew $batch_id
vault token renew -increment=784h
vault token revoke -self

What is top 10 use cases of Hashicorp Vault?

Navuru SrinivasaRao — Mon, 10 Oct 2022 13:34:19 +0000

HashiCorp Vault is an identity-based secrets and encryption management system. Vault validates and authorizes clients (users, machines, apps) before providing them access to secrets or stored sensitive data.

database credential management, Vault can manage your Active Directory accounts, SSH keys, PKI certificates and more.

Data Encryption
Static Secrets
Dynamic Secrets
Identity-Based Access
Key Management

5 Use Case of Approle and Userpass Authentication Methods

Navuru SrinivasaRao — Mon, 10 Oct 2022 13:28:52 +0000

The approle auth method allows machines or apps to authenticate with Vault-defined roles. The open design of AppRole enables a varied set of workflows and configurations to handle large numbers of apps. This auth method is oriented to automated workflows (machines and services), and is less useful for human operators.

An AppRole can be created for a particular machine, or even a particular user on that machine, or a service spread across machines. The credentials required for successful login depend upon the constraints set on the AppRole associated with the credentials

The userpass auth method allows users to authenticate with Vault using a username and password combination.

The username/password combinations are configured directly to the auth method using the users/ path. This method cannot read usernames and passwords from an external source.

we can use it on our different environment such as Dev,QA etc.

Top 10 Commands for Hashicorp Vault Learnt Today?

Navuru SrinivasaRao — Mon, 10 Oct 2022 13:23:16 +0000

vault login
vault server -dev
vault auth enable userpass
vault auth list
vault auth tune -description
vault path-help auth/userpass/
vault write auth/userpass/users/ned password=tacos
vault read auth/approle/role/webapp/role-id
vault write -force auth/approle/role/webapp/secret-id
vault auth disable

List of Authentication Methods in Hashicorp Vault

Navuru SrinivasaRao — Mon, 10 Oct 2022 13:14:55 +0000

Token
userpass
approle
AliCloud
azure cloud
GCP
Oracle Cloud
Kerberos Auth Method
Kubernetes Auth Method
RADIUS Auth Method
LDAP Auth Method
TLS Certificates Auth Method