Join us
@warolv ă» Sep 14,2021 ă» 4 min read ă» 3672 views
If you ever wondered how to save the secrets of HashiCorp's Vault with Jenkins on a daily basis, you can read it in my blog post
I am a DevOps engineer at Cloudify.co and I will share in this post my experience related to automation of Vault backup creation using Jenkins scheduled job and simple python script which I built to create dump of vault secrets.
Letâs start.
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.
https://www.vaultproject.io/
Jenkins Pipeline (or simply âPipelineâ with a capital âPâ) is a suite of plugins that supports implementing and integrating continuous delivery pipelines into Jenkins.
https://www.jenkins.io/doc/book/pipeline/
You can read in this tutorial how to run Jenkins on EKS cluster:
https://igorzhivilo.com/jenkins/ci-cd-future-k8s-jenkins/
What you will learn from this post?
How can an application programmatically request a token so that it can read secrets from Vault?
Using the AppRole which is an authentication mechanism within Vault to allow machines or apps to acquire a token to interact with Vault and using the policies you can set access limitations for your app.
It uses RoleID and SecretID for login.
I explained how to do it in detail in my blog post: https://igorzhivilo.com/jenkins/how-to-read-vault-secrets-from-declarative-pipeline/
After you applied everything I wrote in this post:
eventually you will get role_id and secret_id which will be used programmatically with âpython hvacâ.
Another way for 3rd step (apply all needed policies) is to create a policy using Vaultâs UI:
Go to policy tab -> Create ACL Policy
and then run via vault CLI:
Test that you created correctly role_id/secret_id
Simple python script to test auth with vault:
first run âpip install hvacâ.
I am running this script from pod with python container inside of my Kubernetes cluster.
URL of vault in k8s cluster: âhttp://vault.vault.svc.cluster.local:8200'
You will see authentication error if authentication is failed, if you do, make sure you applied all the needed policies, enabled applrole, and generated properly role_id / secret_id.
Validate role_id/secret_id is correct using vault CLI:
$ vault write auth/approle/login \
role_id=YOU_ROLE_ID \
secret_id=YOU_SECRET_ID
In my case, vault_prefix looks like: âsecret/data/jenkinsâ and all secrets stored under âjenkinsâ prefix:
Each key in list has additional subset of keys, for example âawsâ has access_key_id/secret_access_keys
Getting the secrets list (python)
If you have a permissions error on the secrets list, check you have access to metadata, that what you should see in UI for âjenkins policyâ:
If you donât, add using the UI or vault CLI:
Get a specific secret (python)
If you have a permission error, check you have access to data in UI of Vault:
I created VaultHandler which you can find here.
Also, I think to extend it to use different auth methods, besides appRole, create CLI, to run it in the command line and much more :-)
If the idea sounds interesting, add stars to the repo or clone it, I will know this way you like the idea.
Create Jenkins scheduled job for daily vault backup
Now create a new pipeline in jenkins: newitem -> pipeline and make it periodic (daily).
Conclusion
In this post, I described how to automate Vault backup creation using Jenkins scheduled job and simple python script which I built to create dump of vault secrets.
Thank you for reading, I hope you enjoyed it, see you in the next post.
If you want to be notified when the next post of this tutorial is published, please follow me here on medium and on Twitter (@warolv).
Original story on my blog: https://igorzhivilo.com/vault/scheduled-backup-vault-secrets/
Join other developers and claim your FAUN account now!
DevOps Lead, warolv
@warolvInfluence
Total Hits
Posts
Only registered users can post comments. Please, login or signup.