If for some reason you are feeling confused by using Vault console, that is basic role for 3rd party vault ui install. By default ui is binded to localhost:8201 (next to vault port). It is highly not recommended to expose it outside of the vault box.
Example of usage:
Simple
- {
role: "sa-hashicorp-vault-ui"
}
Advanced
- {
role: "sa-hashicorp-vault-ui"
}
Here and below, vault_ refers for shorthand file from https://github.com/Voronenko/hashi_vault_utils toolkit, namely
#!/bin/sh
VAULT_BASE_URL=${VAULT_ADDR-http://localhost:8200}
echo vault $1 -address=$VAULT_BASE_URL $2 $3 $4 $5 $6 $7 $8 $9
vault $1 -address=$VAULT_BASE_URL $2 $3 $4 $5 $6 $7 $8 $9
Upon vault initialization it is recommended to use restricted tokens with expiration
For example,
./vault_create_token_with_policy.sh root
Enable for role support
./vault_ auth-enable approle
Prepare policy for vault UI
vault policy-write --address=http://localhost:8200 goldfish ./goldfish_vault_policy.hcl
where policy is:
# [mandatory]
# store goldfish run-time settings here
# goldfish hot-reloads from this endpoint every minute
path "secret/goldfish" {
capabilities = ["read", "update"]
}
# [optional]
# to enable transit encryption, see wiki for details
path "transit/encrypt/goldfish" {
capabilities = ["read", "update"]
}
path "transit/decrypt/goldfish" {
capabilities = ["read", "update"]
}
# [optional]
# for goldfish to fetch certificates from PKI backend
path "pki/issue/goldfish" {
capabilities = ["update"]
}
Configure secret setup for app role
./vault_ write auth/approle/role/goldfish role_name=goldfish policies=default,goldfish secret_id_num_uses=1 secret_id_ttl=5m period=24h token_ttl=0 token_max_ttl=0
./vault_ write auth/approle/role/goldfish/role-id role_id=goldfish
./vault_ write secret/goldfish DefaultSecretPath="secret/" UserTransitKey="usertransit" BulletinPath="secret/bulletins/"
# [optional] to enable transit encryption:
# write key ServerTransitKey="goldfish" in the runtime settings (above)
# and run the following line to initialize the key:
./vault_ write -f transit/keys/goldfish
Navigate to vault-ui at your_host:8201
you should be asked for initial wrapped token to be produced with command
vault write -f -wrap-ttl=5m auth/approle/role/goldfish/secret-id
do it.
./vault_ write -f -wrap-ttl=5m auth/approle/role/goldfish/secret-id
Note value for wrapping_token and use it in the UI (note you have 5m only)
Congratulations! Your vault_ui is now properly activated
If you installed the sa-hashicorp-vault-ui
role using the command
ansible-galaxy install softasap.sa-hashicorp-vault-ui
the role will be available in the folder library/softasap.sa-hashicorp-vault-ui
Please adjust the path accordingly.
- {
role: "softasap.sa-hashicorp-vault-ui"
}
requirements.yml snippet:
- src: softasap.sa-hashicorp-vault-ui
name: sa-hashicorp-vault-ui
Code is dual licensed under the [BSD 3 clause] (https://opensource.org/licenses/BSD-3-Clause) and the [MIT License] (http://opensource.org/licenses/MIT). Choose the one that suits you best.
Reach us:
Subscribe for roles updates at [FB] (https://www.facebook.com/SoftAsap/)
Join gitter discussion channel at Gitter
Discover other roles at http://www.softasap.com/roles/registry_generated.html
visit our blog at http://www.softasap.com/blog/archive.html