Thank you very much... Explained things in very good way. Cleared lots of my doubt. Do you have any example of accessing vault from spring boot application.
What is the name of the terminal you are using that is caching your previously used commands while showing them as well or where do I go to either download it or install it? I think it's pretty cool and helps to quickly reference your session history.
Hello , Everyone Can any one know how we can leverage Hashicorp vault with ssh password less mechanism with approle auth method. Just on a high level with real time example.
First, you need to enable the approle auth method on Vault and create a named role with the desired policies and constraints. You can use the Vault CLI or API to do this. Next, you need to fetch the Role ID and Secret ID for the approle. The Role ID is a static identifier for the role, while the Secret ID is a dynamic credential that can be generated on demand and has a limited lifetime and use count. Then, you need to distribute the Role ID and Secret ID to your ssh clients securely. You can use different channels for each part of the credential, such as environment variables, files, or secrets engines. You can also use a trusted broker service that can request and deliver the Secret ID to the clients at runtime. After that, you need to configure your ssh clients to use the approle auth method to authenticate with Vault and obtain a signed public key certificate. You can use a custom script or a tool like ansible to do this. You also need to have a private key that matches the public key that Vault signs. Finally, you need to configure your ssh servers to trust the public key certificate authority (CA) that Vault uses to sign the keys. You also need to specify the principals (usernames) that are allowed to log in with the certificates. With this setup, you can use ssh passwordless mechanism with approle auth method. The ssh clients will use the Role ID and Secret ID to get a signed public key certificate from Vault, and then use the certificate and the private key to log in to the ssh servers. The ssh servers will verify the certificate signature and the principals against the trusted CA and allow access accordingly A real time example of this scenario could be a web application that needs to access multiple backend servers via ssh. The web application could use the approle auth method to get a signed public key certificate from Vault, and then use it to execute commands on the backend servers without using passwords. This would improve the security and efficiency of the web application.
Thank you. This is a fantastic explanation. However I have a question. You need to give your "Jenkins" application the RoleID and the SecretID. With those values you can get the token (which in your example only lasts 1 hour) and with that token you have access to the secrets in teh vault. However, anybody with access to your application config (I guess where you would keep the RoleID and SecretID) would also then have access to the secrets in the vault (by logging in via the CLI as you demonstrated). Surely this is not secure. So my question is what is the best practice for keeping the RoleID and the SecretID protected? Obviously hardcoding them into your app is not an option also an environment variable is not really an option either (unless you are running in the could I guess)
Good question. First thing is its an authentication method & AppRoles can be protected with policies i.e. vault admin can restrict vault read auth/approle/role/ using policies. RoleId is username where SecretId is like password, vault will generate a new secret value every time you request it. So use this way to generet new secret (expire old secret) achieve protection. also another approach is... Admins will create some auth method, attach app role specific policies so that legitimate machines will access it. Another approach is AppRole Response Wrap the another secretID , this will have policies to protect at last, still you want to keep RoleID & SecretID secure, encrypt with your own key and pass the decrypt if you aware of any other better way.. please feel free to share. our learning never ends.
![[DOKKAN BATTLE] Worldwide Campaign Announcement Video Part 2!](http://i.ytimg.com/vi/JpT5Voak6WA/mqdefault.jpg)
Thank you for doing this, really well explained!
Thank you
@@learnwithgvr Hi sir
Thanks a lot. This is such a good explaination.
Thank you Arafat
good content! easy to follow!
Glad it was helpful! Thanks
Very good presentation…. Thanks you so much!
Thank you bro, keep learning
This is a realy good tutorial. Thanks
Thank you
great work,, to the point steps...
Thanks a lot!
Thank you very much... Explained things in very good way. Cleared lots of my doubt. Do you have any example of accessing vault from spring boot application.
Glad to hear your feedback. Sorry I don't have such example.
Very good presentation thank you 😊 should we give the application (Jenkins) the roleID and the secretID to authentificate or the generated token ?
Yes can, logic is jere RoleId and Secret Id dual authentication, generate token
What is the name of the terminal you are using that is caching your previously used commands while showing them as well or where do I go to either download it or install it? I think it's pretty cool and helps to quickly reference your session history.
Its iTerm2 terminal, with zsh theme, autosuggest insalled
Hello , Everyone
Can any one know how we can leverage Hashicorp vault with ssh password less mechanism with approle auth method.
Just on a high level with real time example.
First, you need to enable the approle auth method on Vault and create a named role with the desired policies and constraints. You can use the Vault CLI or API to do this.
Next, you need to fetch the Role ID and Secret ID for the approle. The Role ID is a static identifier for the role, while the Secret ID is a dynamic credential that can be generated on demand and has a limited lifetime and use count.
Then, you need to distribute the Role ID and Secret ID to your ssh clients securely. You can use different channels for each part of the credential, such as environment variables, files, or secrets engines. You can also use a trusted broker service that can request and deliver the Secret ID to the clients at runtime.
After that, you need to configure your ssh clients to use the approle auth method to authenticate with Vault and obtain a signed public key certificate. You can use a custom script or a tool like ansible to do this. You also need to have a private key that matches the public key that Vault signs.
Finally, you need to configure your ssh servers to trust the public key certificate authority (CA) that Vault uses to sign the keys. You also need to specify the principals (usernames) that are allowed to log in with the certificates.
With this setup, you can use ssh passwordless mechanism with approle auth method. The ssh clients will use the Role ID and Secret ID to get a signed public key certificate from Vault, and then use the certificate and the private key to log in to the ssh servers. The ssh servers will verify the certificate signature and the principals against the trusted CA and allow access accordingly
A real time example of this scenario could be a web application that needs to access multiple backend servers via ssh. The web application could use the approle auth method to get a signed public key certificate from Vault, and then use it to execute commands on the backend servers without using passwords. This would improve the security and efficiency of the web application.
@@learnwithgvr thanks a lot sir.
What is the URL of the #1 and #2 referenced here?
Thanks for watching the video.
please refer learn.hashicorp.com/tutorials/vault/approle
Thank you. This is a fantastic explanation. However I have a question.
You need to give your "Jenkins" application the RoleID and the SecretID. With those values you can get the token (which in your example only lasts 1 hour) and with that token you have access to the secrets in teh vault. However, anybody with access to your application config (I guess where you would keep the RoleID and SecretID) would also then have access to the secrets in the vault (by logging in via the CLI as you demonstrated). Surely this is not secure.
So my question is what is the best practice for keeping the RoleID and the SecretID protected? Obviously hardcoding them into your app is not an option also an environment variable is not really an option either (unless you are running in the could I guess)
Good question. First thing is its an authentication method &
AppRoles can be protected with policies i.e. vault admin can restrict vault read auth/approle/role/ using policies. RoleId is username where SecretId is like password, vault will generate a new secret value every time you request it. So use this way to generet new secret (expire old secret) achieve protection.
also another approach is... Admins will create some auth method, attach app role specific policies so that legitimate machines will access it.
Another approach is AppRole Response Wrap the another secretID , this will have policies to protect
at last, still you want to keep RoleID & SecretID secure, encrypt with your own key and pass the decrypt
if you aware of any other better way.. please feel free to share. our learning never ends.
Hi, can you please do tutorial on PKI secrets engine
Sure will try in upcoming lectures