Reputation: 2859
Manually Creating a Root Token in Vault (the hard way)
Ok so I have an application that I inherited that we do not know the root token and we do not have any recovery keys or unseal keys. The problem is, we cannot authenticate into Vault at all and we also cannot have the instance go down.
I do have access to the datastore it uses (DynamoDB) and the encrypting keys. My assumption is that it would be possible in theory to manually add an entry and set a password directly on the underlying datastore instance so that we can have a root account again.
I know this one is weird but we cannot re-initialize the database.
Any thoughts on how this could be done?
Upvotes: 1
Views: 8208
Answers (2)
Reputation: 10171
No matter how bad the breakup was with the previous administrator, call him and ask for the shards. Now. It's an emergency.
To create a root token, you need a quorum of shards. A shard is a large number that could be in base64. For example, this is what the same shard looks in both formats:
- 9PTUFNoCFapAvxQ2L72Iox/hmpjyHGC5PpkDj9itaMo=
- f4f4d414da0215aa40bf14362fbd88a31fe19a98f21c60b93e99038fd8ad68ca
You can mix and match formats, but each shard can be only entered once.
Run the command vault status to know how many different shards you need to find. The default Threshold is 3:
$ vault status
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 5
Threshold 3
If you do get your hands on some shards, enter the command vault operator generate-root and enter them at the prompt. Don't cancel the ongoing root token generation, if someone entered a shard some time in the past, Vault has it (even if you don't). vault operator generate-root -status will tell you if Vault already has some shards. Here is an example where the first shard of three was entered:
$ vault operator generate-root -status
Nonce 9f435314-ce20-4716-cea7-a083de224e4e
Started true
Progress 1/3
Complete false
OTP Length 26
If you can't find the shards, you are in trouble. You will have to find a password and read all the secrets one by one (can be scripted), ideally every version of them. You say you can't log in, so you might have to ask your user to do it.
Keep in mind that some backends (like the PKI) can't be exported manually, not even by root.
Upvotes: 2
Reputation: 683
You can try one of the below -
- The initial root token generated at vault operator init time -- this token has no expiration
- By using another root token; a root token with an expiration cannot create a root token that never expires
- By using vault operator generate-root (example) with the permission of a quorum of unseal key holders
Root tokens are useful in development but should be extremely carefully guarded in production. In fact, the Vault team recommends that root tokens are only used for just enough initial setup (usually, setting up auth methods and policies necessary to allow administrators to acquire more limited tokens) or in emergencies, and are revoked immediately after they are no longer needed. If a new root token is needed, the operator generate-root command and associated API endpoint can be used to generate one on-the-fly.
You can read more here - https://www.vaultproject.io/docs/concepts/tokens
Upvotes: 2
Related Questions
- How to create a Hashicorp Vault user using Terraform
- How to set my own root token in HashiCorp Vault Docker Compose file
- vault token create after vault login -method ldap
- Hashicorp-vault userpass authentication
- How to use non-root vault token for vault login in spring boot
- Create a new entity, entity alias in Vault and obtain a token for authentication
- Steps to be followed to run vault as a service( vault starts when the server starts ) also the root token needs to be permanent?
- How can I use Hashicorp Vault to manage my application secrets?
- Hashicorp Vault -- Create Auth Tokens Only, Don't read secrets
- Vault: how to create an secret-id