-
Notifications
You must be signed in to change notification settings - Fork 1
Generate VAULT App role for the RSP
This guide outlines the steps to create a Vault AppRole and Secret ID, including setting up the necessary policy for access control. Vault's AppRole is an authentication mechanism within HashiCorp Vault used to map machine or app identities to policies and secrets.
You need to have Vault installed and properly configured. Ensure you have appropriate permissions to create policies, AppRoles, and secret IDs in Vault.
Add the following policy configuration to the file roepolicy (rename as appropriate):
path "secret/k8s_operator/roe/*" {
capabilities = ["list", "read", "create", "update", "delete", "sudo"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}
path "auth/token/lookup-self" {
capabilities = ["update", "read"]
}
path "sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/mounts" {
capabilities = ["read"]
}
path "sys/internal/ui/mounts/secret/k8s_operator/roe/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
Replace "roe" with the environment you are setting up the app role for
Upload the policy to Vault using the vault policy write command:
vault policy write roepolicy roe.policy
Create an AppRole that is tied to the policy you uploaded:
vault write auth/approle/role/roe_role policies=roepolicy
Obtain the Role ID for the newly created AppRole:
vault read auth/approle/role/roe_role/role-id
This will output the Role ID:
Key Value
--- -----
role_id ...
Generate a Secret ID associated with the AppRole:
vault write -f auth/approle/role/roe_role/secret-id
Vault will return the Secret ID:
Key Value
--- -----
secret_id ..
Conclusion You have successfully created a Vault AppRole and Secret ID with a custom policy for accessing specific paths within Vault. These credentials can now be used by applications or machines for authentication and access control within Vault.
Remember to securely store the Role ID and Secret ID as this will be used to deploy the RSP for the specified environment