Generate cloud provider credentials with Vault
Dynamic secrets are a core feature in Vault. A class of dynamic secrets is on-demand, revocable, time-limited access credentials for cloud providers. For example, the Dynamic Secrets getting started tutorial demonstrated the AWS secrets engine to dynamically generate AWS credentials (access key ID and secret access key).
Challenge
To consume cloud provider services (e.g. Azure Kubernetes service or GCP Kubernetes engine), the client must have valid credentials. Each cloud provider has a unique process to manage the full lifecycle of credentials, adding to the complexity of multi-cloud environments.
Solution
Automate the full lifecycle of credential management by integrating your applications with Vault's dynamically generated credentials. The applications request credential from Vault with a time-to-live (TTL) enforcing its validity so that the credentials are automatically revoked when they are no longer used.
In this tutorial, you will deploy Vault and configure Vault's Azure secrets engine to dynamically generate Azure service principals. Vault supports multiple different cloud providers, including Azure, AWS, and GCP.
Benefits
Each app instance can request unique, short-lived credentials. Unique credentials ensures isolated, auditable access and enable revocation of a single client. While short-lived reduces the time frame in which they are valid.
Personas
The end-to-end scenario described in this tutorial involves two personas:
Prerequisites
This tutorial assumes the following:
- You have a Microsoft Azure account
- Vault installed
Policy requirements
Each persona requires a different set of capabilities. These are expressed in policies. If you are not familiar with policies, complete the policies tutorial.
The admin tasks require these capabilities.
The apps tasks require these capabilities.
Lab setup
Note
If you do not have access to an HCP Vault Dedicated cluster, visit the Create a Vault Cluster on HCP tutorial.
Launch the HCP Portal and login.
Click Vault in the left navigation pane.
In the Vault clusters pane, click vault-cluster.
Under Cluster URLs, click Public Cluster URL.
In a terminal, set the
VAULT_ADDR
environment variable to the copied address.Return to the Overview page and click Generate token.
Within a few moments, a new token will be generated.
Copy the Admin Token.
Return to the terminal and set the
VAULT_TOKEN
environment variable.Set the
VAULT_NAMESPACE
environment variable toadmin
.The
admin
namespace is the top-level namespace automatically created by HCP Vault. All CLI operations default to use the namespace defined in this environment variable.Type
vault status
to verify your connectivity to the Vault cluster.
The HCP Vault Dedicated server is ready.
Create an Azure service principal and resource group
(Persona: admin)
To delegate the credential generation task to Vault, you need to give Vault privileged Azure credentials to perform the task. The following demonstrates the creation of a service principal.
Production
The service principal should be dedicated to the Vault secrets engine.
Invoking the rotate-root
command will delete the existing client secret
and generate a new secret known only to Vault.
Note
Refer to the online Azure documentation for more details.
Launch the Microsoft Azure Portal and sign in.
Select Azure Active Directory and select Properties.
Copy the Tenant ID.
In a terminal, set the variable
TENANT_ID
to the Tenant ID.From the side navigation, select App registrations.
Select New registrations.
Enter a desired name in the Name field (e.g.
vault-education
).Click Register.
Copy the Application (client) ID.
In a terminal, set the variable
CLIENT_ID
to the Application (client) ID.From the side navigation, select Certificate & secrets.
Under the Client secrets, click New client secret.
Enter a description in the Description field.
Click Add.
Copy the client secret value.
In a terminal, set the variable
CLIENT_SECRET
to the client secret value.From the side navigation, click API permissions.
Under Configured permissions, click Add a permission.
The Azure Secrets Engine documentation lists the Azure permissions need to be assigned.
Click Microsoft Graph.
Select Application permissions.
Add the following permissions.
Permission Name Type Application.ReadWrite.OwnedBy Application GroupMember.ReadWrite.All Application Note
If you plan to use the rotate root credentials API, you'll need to change
Application.ReadWrite.OwnedBy
toApplication.ReadWrite.All
.Click Add permissions.
Click Grant admin consent for azure to grant the permissions.
Click Yes to confirm consent.
Navigate to the Subscriptions blade.
Click the name of your subscription.
Copy the Subscription ID.
In a terminal, set the variable
SUBSCRIPTION_ID
to the Subscription ID.From the side navigation, click Access control (IAM).
Click Add > Add a role assignment.
Select
User Access Administrator
and click Next.Click Select members.
Enter your application name or application id in the Select field.
Click the application when it is displayed which will add the application to the Selected members list.
Click Select.
Click Review + assign, and then Review + assign gain.
The application is created with the correct permissions and you have these identifiers and credentials:
- Tenant ID
- Client ID
- Client Secret
- Subscription ID
Resource Group
The secrets engine generates credentials within an Azure resource group.
Navigate to the Resource groups blade.
Click Create.
Choose the subscription from the Subscription select field.
Enter
vault-education
in the Resource group field.Click Review + create.
The view changes to display the review page.
Click Create.
The resource group vault-education
is created.
Configure Vault
With the necessary resources configured in Azure, you can configure the Azure secrets engine to dynamically generate Azure service principals.
Enable the Azure secrets engine
Enable the azure secrets engine at its default path.
The secrets engine is enabled at the path azure/
. To enable the secrets engine
at a different path requires that you use the -path
parameter and the desired
path.
Configure the Azure secrets engine
(Persona: admin)
The Azure secrets engine requires the credentials you generated in the create an Azure service principal and resource group step to communicate with Azure and generate service principals.
Verify that your Azure subscription ID, client ID, client ID, and tenant ID are stored as environment variables.
If any of those variables are missing their value, refer to the previous step and set them before proceeding.
Configure the Azure secrets engine with the Azure credentials.
Create a role
(Persona: admin)
A Vault role lets you configure either an existing service principal or a set of Azure roles.
Create a Vault role named, edu-app
mapped to the Azure role named,
Contributor
in the vault-education
resource group.
The role named edu-app
is created.
Request Azure credentials
The role generates credentials with a time-to-live (TTL) of 1 hour and max TTL of 24 hours.
Read credentials from the
edu-app
azure role.Example output:
The results display the credentials, its TTL, and the lease ID.
For applications (apps persona) to request credentials, it requires a Vault policy that grants access to this role. Define a policy named
apps
.The apps policy grants the
read
capability for requests to the pathazure/creds/edu-app
.Create a variable named
APPS_TOKEN
to capture the token created with theapps
policy attached.Note
AppRole Pull Authentication tutorial demonstrates a more sophisticated way of generating a token for your apps.
Read credentials from the
edu-app
azure role with theAPPS_TOKEN
.Example output:
The results display the credentials, its TTL, and the lease ID. The credentials
for this application (service principal) in the Azure Portal searching by its
client_id
.
Note
Re-run the command and notice that the role returns a new set of credentials. This means that each app instance acquires a unique set of Azure credentials.
Manage leases
(Persona: admin)
The credentials are managed by the lease ID and remain valid for the lease duration (TTL) or until revoked. Once revoked the credentials are no longer valid.
List the existing leases.
Example output:
All valid leases for Azure credentials are displayed.
Create a variable that stores the first lease ID.
Renew a lease
If you need to extend the use of the generated Azure credentials, you can renew the lease by passing its lease ID.
Example output:
The TTL of the renewed lease is set to 1h
.
Revoke the leases
When the Azure credentials are no longer needed, you can revoke the lease without waiting for its expiration.
Revoke the least associated with the $LEASE_ID environment variable.
List the existing leases.
The first lease is no longer valid.
Read new credentials from the
edu-app
role.Revoke all the leases with the prefix
azure/creds/edu-app
.The
prefix
flag matches all valid leases with the path prefix ofazure/creds/edu-app
.List the existing leases.
All the leases with this path as a prefix have been revoked.
Summary
You enabled and configured the Azure secrets engine. Learn more by exploring the Azure secrets engine documentation and Azure secrets engine API documentation.
Clean up
The Azure credentials created to configure the secrets engine should be deleted if they are no longer required.
Launch the Microsoft Azure Portal and sign in.
Navigate to Azure Active Directory.
From the side navigation, select App registrations.
Click the vault-education application (or whatever the name you set for the application).
From the application overview, click delete.
Select Yes to delete the application. The application is deleted.
Navigate to Resource groups.
Click the vault-education resource group.
From the resource group overview, click Delete resource group.
Enter
vault-education
in theTYPE THE RESOURCE GROUP NAME:
field.Click Delete. The resource group is deleted.
Stop the Vault server
Unset the
VAULT_TOKEN
environment variable.Unset the
VAULT_ADDR
environment variable.Vault Dedicated users: Unset the
VAULT_NAMESPACE
environment variable.Delete the Vault cluster from the HCP Portal.