Combining secrets and identity management to seamlessly provide role-based access to developers in an organization using Vault. The sourcecode will help with setting up infrastucture on the AWS network using Terraform.
Vault will securely help store/generate ephemeral secrets to access various resources within the AWS cloud. The role-based access will be provided to users belonging to particular teams within an organization in GitHub.
The following architecture diagram shows how the Vault cluster is fronted by a classic ELB that routes network traffic to the Vault servers:
The source code is inspired by Hashicorp's best practices guide that can be found here along with the following webinars:
- Terraform Getting Started
- Terraform Docs
- Consul Getting Started
- Consul Docs
- Vault Getting Started
- Vault Docs
Follow along to quickly set up all your infrastructure and have it (production) ready in minutes.
Things you will need to install:
Follow instructions in the private-tls-cert directory of this repository to create a CA public key along with public/private keys for a TLS certificate signed by this CA.
You will want to modify some of the variables in variables.tf based on your individual needs. Once these certificates are generated, you will bake them into your AMIs in the next step.
Follow instructions in the vault-consul-ami directory of this repository to create an AMI of your choice. Ubuntu-18 is the recommended OS as it has proved to work well with the rest of the modules in this project (packer build -only ubuntu18-ami vault-consul.json).
Initialize Terraform - download providers and modules. Run a terraform plan to ensure Terraform will provision what you expect. Run a terraform apply to provision the HashiStack. Once provisioned, view the zREADME instructions output from Terraform for next steps.
> terraform init
> terraform plan
> terraform applyGo into the terraform-aws-ssh-clients directory and modify variables in variables.tf as necessary. Then run the same terraform commands as before to initialize, plan, and then apply the changes in AWS:
> terraform init
> terraform plan
> terraform applyMake note of the public ip addresses that get written out to the console. These are the IPs you will use on your ansible hosts file in the next step.
Create a file named hosts in /etc/ansible/ on your local machine and add the following code-snippet (replacing the public IPs and the access key paths with your corresponding values):
[ca_ssh_clients]
50.16.152.201 ansible_ssh_private_key_file=/Users/ashishbaiju/.ssh/ab-main.pem
[otp_ssh_clients]
34.225.211.99 ansible_ssh_private_key_file=/Users/ashishbaiju/.ssh/ab-main.pem
Go into the ansible directory within the terraform-aws-ssh-clients directory and run the following commands to configure your remote hosts as desired (peek into the yaml files to see how the hosts group is defined - this is what's looked at in your main hosts file in /etc/ansible/hosts):
> ansible-playbook ca-playbook.yaml
> ansible-playbook otp-playbook.yamlNow that you have your infrastructure setup, you can connect to Vault via the ELB. Because you have used self-signed TLS certificates to setup the infra, you will need to trust the CA on your keychain (macOS). Once this is done, navigate to your DNS endpoint that you setup with Route53 earlier. In my case it is https://vault.insight-ab.net. You can still use the DNS endpoint for the ELB as well to connect instead - something like https://vault-ab-406229621.us-east-1.elb.amazonaws.com.
Follow these instructions to login to your Vault after it has been unsealed:
> vault login
> ## this is when you will be prompted for a token
> vault login -method=github
> ## this is for your users to login with their GitHub access tokensTo set up Vault with the OTP/CA configuration, you can run the configure-vault.sh script in the scripts directory once logged in with your root credentials on an unsealed Vault. Please update the config files within policies & roles according to your own needs.
For a full recording of the demo, please visit here.