Skip to content

Generate VAULT App role for the RSP

stvoutsin edited this page Feb 16, 2024 · 1 revision

Creating a Vault AppRole and Secret ID

This guide outlines the steps to create a Vault AppRole and Secret ID, including setting up the necessary policy for access control. Vault's AppRole is an authentication mechanism within HashiCorp Vault used to map machine or app identities to policies and secrets.

Pre-requisites

You need to have Vault installed and properly configured. Ensure you have appropriate permissions to create policies, AppRoles, and secret IDs in Vault.

Step 1: Create a Policy

Add the following policy configuration to the file roepolicy (rename as appropriate):

path "secret/k8s_operator/roe/*" {
  capabilities = ["list", "read", "create", "update", "delete", "sudo"]
}

path "auth/token/renew-self" {
  capabilities = ["update"]
}

path "auth/token/lookup-self" {
  capabilities = ["update", "read"]
}

path "sys/mounts/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "sys/mounts" {
  capabilities = ["read"]
}

path "sys/internal/ui/mounts/secret/k8s_operator/roe/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

Replace "roe" with the environment you are setting up the app role for

Step 2: Upload the Policy to Vault

Upload the policy to Vault using the vault policy write command:

vault policy write roepolicy roe.policy

Step 3: Create an AppRole

Create an AppRole that is tied to the policy you uploaded:

vault write auth/approle/role/roe_role policies=roepolicy

Step 4: Retrieve the Role ID

Obtain the Role ID for the newly created AppRole:

vault read auth/approle/role/roe_role/role-id

This will output the Role ID:

Key     Value
---     -----
role_id ...

Step 5: Generate a Secret ID

Generate a Secret ID associated with the AppRole:

vault write -f auth/approle/role/roe_role/secret-id

Vault will return the Secret ID:

Key        Value
---        -----
secret_id  ..

Conclusion You have successfully created a Vault AppRole and Secret ID with a custom policy for accessing specific paths within Vault. These credentials can now be used by applications or machines for authentication and access control within Vault.

Remember to securely store the Role ID and Secret ID as this will be used to deploy the RSP for the specified environment