/hiera-eyaml-vault

A hiera-eyaml encryption plugin for Vault's transit engine

Primary LanguageRubyOtherNOASSERTION

Hiera-Eyaml-Vault

Introduction

This library is a plugin to hiera-eyaml that enabled encryption and decryption using the Transit Secrets Engine of Vault.

Installation

Follow the instructions provided to install and configure hiera-eyaml, this extension can be installed as a rubygem

$ gem install hiera-eyaml-vault

Configuration

Vault setup

In order to use Vault as a encryption as a service with this plugin you need to configure the service on the Vault server in order to enable the transit engine and provide hiera-eyaml-vault with credentials to use to authenticate against the vault service. The following steps should be run on your Vault server.

Enable the transit engine

$ vault secrets enable transit

Create a key for Hiera to encrypt and decrypt data

$ vault write -f transit/keys/hiera

Create a policy for Hiera

Edit a file called hiera_policy.hcl with the following contents

path "transit/*" {
  capabilities = [ "read", "list", "create", "update", "delete" ]
}

Next, add the policy with the following command

$ vault policy write hiera hiera_policy.hcl

Create an Approle to use the Hiera policy

$ vault write auth/approle/role/hiera token_ttl=10m policies=hiera

Copy the credentials

Hiera-eyaml-vault requires the role_id and secret_id to be configured, obtain these by issuing the following commands

$ vault read auth/approle/role/hiera/role-id
$ vault write -f auth/approle/role/hiera/secret-id

Configuring hiera-eyaml-vault

Options

See the documentation for Hiera-Eyaml for integrating Hiera with Eyaml, and how to enable encrypting plugins. The following options are configurable for this plugin;

  • vault_addr: URL of the Vault server to connect to (default https://127.0.0.1:8200)
  • role_id: Role ID to use to authenticate (see above)
  • secret_id: Secret ID to use to authenticate (see above)
  • use_ssl: Boolean, Whether to use SSL to connect to vault (default true)
  • ssl_verify: Boolean, Whether to verify SSL certs when connecting to vault (default true)
  • keyname: Name of the vault transit key to use (see above). (default: hiera)
  • api_version: Version of the vault API to use (default: 1)

Example

cat ~/.eyaml/config.yaml

---
encrypt_method: vault
vault_addr: https://vault.corp.com:8200
vault_role_id: 987ad87-77dd-339a-787b-798793872a
vault_secret_id: 66255f7-225c-112a-b565-99873626f3
vault_ssl_verify: false

Usage

Once configured the plugin can be used as normal with hiera-eyaml, the tagname VAULT will be used to identify vault encrypted strings, eg:

$ eyaml encrypt -s foobar
string: ENC[VAULT,dmF1bHQ6djE6WlNqb3BzZUZhZ044b3NnT3hwRG9Jb1JzYVFwbHVkRVo3QTZreDlCMmRyMEI3dz09]

OR

block: >
    ENC[VAULT,dmF1bHQ6djE6WlNqb3BzZUZhZ044b3NnT3hwRG9Jb1JzYVFwbHVkRVo3QTZr
    eDlCMmRyMEI3dz09]

Maintainer

Written by Craig Dunn craig@craigdunn.org

With thanks to Sixt