Skip to content

evertrust/vault-plugin-secrets-horizon

BranchesTags

Repository files navigation

horizon-secrets-engine

This plugin allow you to create a secret backend that will use the Horizon API to generate dynamic credentials.

Setup

Register horizon-secrets-engine in plugin catalog

Start server with the right config setup in vault/server.hcl.

$ vault server -config=vault/server.hcl

In a new terminal, set the VAULT_ADDR to the local Vault server.

$ export VAULT_ADDR='http://127.0.0.1:8200'

Initialize Vault with one key. Save the initial root token and unseal key.

$ vault operator init -key-shares=1 -key-threshold=1

Unseal key 1: $VAULT_UNSEAL_KEY
Initial Root Token: $VAULT_TOKEN

Set the VAULT_TOKEN to the root token

$ export VAULT_TOKEN=$VAULT_TOKEN

Unseal vault with the unseal keys.

$ vault operator unseal $VAULT_UNSEAL_KEY

Calculate the SHA256 sum of the compiled plugin binary.

$ SHA256=$(shasum -a 256 /Path/to/vault/plugins/horizon-secrets-engine | cut -d ' ' -f1)

Register the plugin

$ vault plugin register -sha256=$SHA256 secret horizon-secrets-engine

Enabling

Enable the horizon secret engine:

$ vault secrets enable -path=horizon horizon-secrets-engine

Configure Vault

Configure Vault with the proper plugin and connection

$ vault write horizon/config/<instance> \
  horizon_endpoint="..." \
  username="..." \
  password="..."

Vault will use the user specified here to create/update/revoke horizon credentials. That user must have the appropriate permissions to perform actions upon other horizon users (create, update credentials, delete, etc.).

Rotate-root

After configuring the root user, it is highly recommanded you rotate that user’s password such that the vault user is not accessible by any users other than Vault itself:

$ vault write -force horizon/rotate-root/<instance>

Usage

Configure Role

Configure a role that maps a name in Vault to a set of creation statements to create the horizon credentials:

$ vault write horizon/roles/<role-name> \
        instance=<instance> \
        roles=... \
        contact=... \
        ttl=1h \
        max_ttl=24h

Parameter

Description

instance

The horizon instance defined in the horizon/config (mandatory)

roles

Roles predefined in horizon, which you want to assign to the new credential

contact

Email address (mandatory)

ttl

Life duration for the credential

max_ttl

Maximale life duration for the credential

password_policy

The password policy used to generate the password

username_policy

The username policy used to generate the username

Credential Generation

After the secrets engine is configured and a user/machine has a Vault token with the proper permission, it can generate credentials.

Generate a new credential by reading from the /creds endpoint with the name of the role:

$ vault read horizon/creds/<role-name>

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages