/vault-secrets-sync-demo

This repository provides a demo of HashiCorp Vault Secrets Sync.

Primary LanguageHCLMozilla Public License 2.0MPL-2.0

HashiCorp Vault Secrets Sync

Overview

Secrets Sync allows you to automatically sync secrets from Vault Enterprise to a variety of third party platforms including AWS, Azure, GCP, GitHub, and Vercel.

Diagram

Demo

Infrastructure Setup

cd vault-secrets-sync-demo/tf
# add `vault_license` to .auto.tfvars
terraform apply
export VAULT_ADDR=$(terraform output -raw vault_addr)
cd ..

Vault Init

vault operator init -key-shares=1 -key-threshold=1 -format=json > init.json
vault operator unseal $(cat init.json | jq -r .unseal_keys_hex[0])
export VAULT_TOKEN=$(cat init.json| jq -r .root_token)

Vault Setup

vault write -f sys/activation-flags/secrets-sync/activate
vault secrets enable -version=2 kv

Add Secrets (Manual)

vault kv put kv/path/to/secret \
  username="foo" \
  password=$RANDOM \
  uuid=$(uuidgen)

Add Secrets (Bulk)

Perform this step from your local machine.

./scripts/aws-to-vault.sh

Setup Destination (Account + Region)

# default template
vault write sys/sync/destinations/aws-sm/demo-use2 \
  role_arn="arn:aws:iam::$AWS_ACCOUNT_ID:role/demo-secrets-sync" \
  region="us-east-2"

# custom template (be cautious of overwrites)
# https://developer.hashicorp.com/vault/docs/sync#name-template
vault write sys/sync/destinations/aws-sm/demo-use2-templated \
  role_arn="arn:aws:iam::$AWS_ACCOUNT_ID:role/demo-secrets-sync" \
  region="us-east-2" \
  secret_name_template="vault/{{ if .NamespacePath }}{{ .NamespacePath }}/{{ else }}{{ end }}{{ .MountPath }}/{{ .SecretPath }}"

Sync Secrets (Manual)

vault write sys/sync/destinations/aws-sm/demo-use2/associations/set \
  mount="kv" \
  secret_name="path/to/secret"

Sync Secrets (Bulk)

Perform this step from your local machine.

./scripts/vault-to-aws.sh

AWS Console

View the replicated secrets in AWS Secrets Manager

Modify Secrets in Vault

Perform the modifications below in Vault; then view the changes replicated in AWS Secrets Manager

vault kv patch kv/path/to/secret foo="bar" hello="world"

Vault UI

View the secrets and secrets sync settings within the Vault UI.

Cleanup

./scripts/cleanup.sh
cd tf/
terraform destroy