vault-controller is a binary built to manage the HashiCorp Vault client token for you. vault-controller will take the Vault auth response manage your TTL for you. This is an inspiration from Kelsey Hightower and his vault-controller for managing renewal in kubernetes pods.
- Easy: Make it easy to use
- Eliminate the need to
echo "0 */5 * * * root /usr/local/bin/vault token-renew" > /etc/cron.d/renew-vault-token
-
Install golang, version 1.7 or greater is recommended
-
Install
govendorif you haven't alreadygo get -u github.com/kardianos/govendor -
Clone the repo
git clone (this repo) cd vault-controller -
Build the binary
go build -
Copy the binary
vault-controllerto wherever you'd like
If you'd like to build a debian package you need to make sure you have fpm installed first:
- Install
fpm - Run
./make_deb.sh
- Stand up a local Vault server listening on default port - 127.0.0.1:8200
- Enable the
userpassAuth backend - Create a user called
testuserwith a password oftestpasswordand assign the default policy - Run
./login.sh - Run
./vault-controller --addr=http://127.0.0.1:8200 --log_level=info --log_fmt=json --token_file=.vault-responseto enable renewal of your Vault client token
- Stand up Vault with
AWS EC2Auth Backend - Authorized a role called
example prodwith a 12 hour ttl - Launch an EC2 instance and authenticate with Vault. Write the output to
/vault/.vault-response - Install vault-controller as a service
- Start vault-controller -
service vault-controller startto auto renew the Vault client token
{"request_id":"1b105e2e-4996-77e6-a4b7-37583b124ea2","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":null,"auth":{"client_token":"2c89f2ec-d50f-4821-9032-de2664589d26","accessor":"5cfa295b-2b5c-44bd-86c7-67ce90741e37","policies":["default","service/gitlab-dev"],"metadata":{"account_id":"123456789123","ami_id":"ami-00000000","instance_id":"i-837dadd923847109a","nonce":"Gtp5msp3jEq759qpIvntP","region":"us-west-2","role":"example-prod","role_tag_max_ttl":"0s"},"lease_duration":43200,"renewable":true}}
{"level":"info","msg":"Starting vault-controller...","time":"2017-03-09T00:01:49Z"}
{"level":"info","msg":"Reading vault secret file from /vault/.vault-response","time":"2017-03-09T00:01:49Z"}
{"level":"info","msg":"token-renew: Successfully renewed the client token; next renewal in 21600 seconds","time":"2017-03-09T00:01:50Z"}
{"level":"info","msg":"token-renew: Successfully renewed the client token; next renewal in 21600 seconds","time":"2017-03-09T06:01:52Z"}
{"level":"info","msg":"token-renew: Successfully renewed the client token; next renewal in 21600 seconds","time":"2017-03-09T12:01:54Z"}
{"level":"info","msg":"token-renew: Successfully renewed the client token; next renewal in 21600 seconds","time":"2017-03-09T18:01:57Z"}
{"level":"info","msg":"token-renew: Successfully renewed the client token; next renewal in 21600 seconds","time":"2017-03-10T00:01:59Z"}
{"level":"info","msg":"token-renew: Successfully renewed the client token; next renewal in 21600 seconds","time":"2017-03-10T06:02:01Z"}
{"level":"info","msg":"token-renew: Successfully renewed the client token; next renewal in 21600 seconds","time":"2017-03-10T12:02:03Z"}
{"level":"info","msg":"token-renew: Successfully renewed the client token; next renewal in 21600 seconds","time":"2017-03-10T18:02:05Z"}
{"level":"info","msg":"token-renew: Successfully renewed the client token; next renewal in 21600 seconds","time":"2017-03-11T00:02:06Z"}
{"level":"info","msg":"token-renew: Successfully renewed the client token; next renewal in 21600 seconds","time":"2017-03-11T06:02:08Z"}
{"level":"info","msg":"token-renew: Successfully renewed the client token; next renewal in 21600 seconds","time":"2017-03-11T12:02:10Z"}