Reputation: 13
Vault Agent Auto Authentication
In vault docs (https://developer.hashicorp.com/vault/docs/agent-and-proxy/agent) it was mentioned that one features of vault agent is Auto-Auth (Automatically authenticate to Vault and manage the token renewal process for locally-retrieved dynamic secrets).
My vault agent configuration:
pid_file = "F:/Vault/vault-agent/agent.pid"
log_file = "F:/Vault/vault-agent/trace.log"
vault {address = "http://127.0.0.1:8200"}
auto_auth {
method "approle" {
config = {
role_id_file_path = "F:/Vault/vault-agent/agent-role-id"
secret_id_file_path = "F:/Vault/vault-agent/agent-secret-id"
#remove_secret_id_file_after_reading = false
}
}
sink "file" {
config = {
path = "F:/Vault/vault-agent/agent-token"
}
}
}
cache {
use_auto_auth_token = true
}
listener "tcp" {
address = "127.0.0.1:8100"
tls_disable = true
}
My vault server configuration:
disable_mlock = true
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
ui = true
pid_file = "F:/Vault/data/vault.pid"
log_file = "F:/Vault/data/trace.log"
storage "raft" {
path = "F:/Vault/data"
node_id = "raft_node_id"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = "true"
}
what i have tried:
import hvac
client = hvac.Client(url='http://localhost:8100')
client.is_authenticated()
what i expected:
True
What actually appeared:
False
Vault Agent Log:
2024-03-05T04:35:06.403+0200 [INFO] agent.sink.server: starting sink server
2024-03-05T04:35:06.403+0200 [INFO] agent.auth.handler: authenticating
2024-03-05T04:35:06.922+0200 [INFO] agent.auth.handler: authentication successful, sending token to sinks
2024-03-05T04:35:06.924+0200 [INFO] agent.sink.file: token written: path=F:/Vault/vault-agent/agent-token
2024-03-05T04:35:06.932+0200 [INFO] agent.auth.handler: starting renewal process
2024-03-05T04:35:07.245+0200 [INFO] agent.auth.handler: renewed auth token
2024-03-05T04:37:53.816+0200 [INFO] agent.apiproxy: received request: method=GET path=/v1/auth/token/lookup-self
2024-03-05T04:37:53.817+0200 [INFO] agent.apiproxy: forwarding request to Vault: method=GET path=/v1/auth/token/lookup-self
2024-03-05T05:17:18.781+0200 [INFO] agent.auth.handler: renewed auth token
Upvotes: 0
Views: 471
Answers (1)
Reputation: 310
I think the issue you are having is that you are using vault agent which only really allows for file rendering and are looking to leverage vault proxy with auto auth. So, if you want to continue with vault agent you need to render the files on the system and just consume them via your python app. Alternately you could edit your existing config.hcl to allow it to work with proxy.
api_proxy {
use_auto_auth_token = "force"
enforce_consistency = "always"
}
By enabling the above you are able to have hvac leverage the token that vault proxy will manage. Then boot it up using the vault proxy command.
vault proxy -config=path/your/config.hcl
If you're planning to run this on Windows, keep in mind that Vault Proxy is only supported as a Windows service starting with version 1.18.x Enterprise. So, you'll need to use that version or later. Additionally, you should ensure that the port used by the proxy has proper firewall rules in place to block traffic from any source other than the local computer or explicitly allowed IPs. Without this, anyone hitting the API would inherit the permissions granted to the token when using Auto Auth.
Upvotes: 0
Related Questions
- nginx + vault in docker reverse proxy
- Create a Vault UI user using the vault CLI
- Vault secret fetch using hvac python fails with TypeError where Type of response is <class 'requests.models.Response'>
- HashiCorp Transit Engine, what permission are required to read the public key?
- HashiCorp Vault: What are the security benefits of wrapping the secret_id in appRole authentication?
- Error making API request when using Vault secrets
- hashicorp vault k8s - agent container won't initialize
- Vault hashicorp, access from posgres deployment kubernetes authentication connection refused