Authentication, Authorization, and Identity with Vault
Overview
Authentication in Vault is the process by which user or machine supplied information is verified against an internal or external system. Vault supports multiple auth methods including GitHub, LDAP, AppRole, and more.
Identity is used to maintain the clients who are recognized by Vault. As such, Vault provides an identity management solution through the Identity secrets engine. In this lab, you will learn about the different types of authentication and auth methods, as well as how to interact with identity in Vault.
Task 1. Install Vault
Welcome to Cloud Shell! Type "help" to get started.
Your Cloud Platform project in this session is set to qwiklabs-gcp-02-e8fc74852051.
Use “gcloud config set project [PROJECT_ID]” to change to a different project.
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ sudo apt-get update
sudo apt-get install vault
********************************************************************************
You are running apt-get inside of Cloud Shell. Note that your Cloud Shell
machine is ephemeral and no system-wide change will persist beyond session end.
To suppress this warning, create an empty ~/.cloudshell/no-apt-get-warning file.
The command will automatically proceed in 5 seconds or on any key.
Visit https://cloud.google.com/shell/help for more information.
********************************************************************************
Ign:1 https://us-apt.pkg.dev/projects/demosite-images demosite-apt InRelease
Get:2 https://repo.mysql.com/apt/debian bullseye InRelease [12.9 kB]
Get:3 https://cli.github.com/packages bullseye InRelease [3,921 B]
Get:4 https://download.docker.com/linux/debian bullseye InRelease [43.3 kB]
Get:5 https://packages.microsoft.com/debian/11/prod bullseye InRelease [3,629 B]
Ign:6 https://ftp.debian.org/debian stretch InRelease
Get:7 https://deb.debian.org/debian bullseye InRelease [116 kB]
Get:8 https://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:9 https://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Ign:10 https://ftp.debian.org/debian stretch-backports InRelease
Ign:11 https://ftp.debian.org/debian stretch-updates InRelease
Err:12 https://ftp.debian.org/debian stretch Release
404 Not Found [IP: 199.232.46.132 443]
Get:13 https://cli.github.com/packages bullseye/main amd64 Packages [344 B]
Get:14 https://download.docker.com/linux/debian bullseye/stable amd64 Packages [25.2 kB]
Err:15 https://ftp.debian.org/debian stretch-backports Release
404 Not Found [IP: 199.232.46.132 443]
Err:16 https://ftp.debian.org/debian stretch-updates Release
404 Not Found [IP: 199.232.46.132 443]
Get:17 https://packages.microsoft.com/debian/11/prod bullseye/main amd64 Packages [83.3 kB]
Get:18 https://packages.microsoft.com/debian/11/prod bullseye/main arm64 Packages [14.6 kB]
Get:19 https://packages.microsoft.com/debian/11/prod bullseye/main armhf Packages [13.4 kB]
Get:20 https://deb.debian.org/debian bullseye/main Sources [11.4 MB]
Get:21 https://deb.debian.org/debian bullseye/main amd64 Packages [11.1 MB]
Hit:22 https://apt.llvm.org/bullseye llvm-toolchain-bullseye-13 InRelease
Get:23 https://storage.googleapis.com/bazel-apt stable InRelease [2,256 B]
Get:24 https://deb.debian.org/debian-security bullseye-security/main Sources [302 kB]
Get:25 https://deb.debian.org/debian-security bullseye-security/main amd64 Packages [300 kB]
Get:26 https://apt.postgresql.org/pub/repos/apt bullseye-pgdg InRelease [116 kB]
Get:27 https://storage.googleapis.com/bazel-apt stable/jdk1.8 amd64 Packages [9,940 B]
Get:28 https://packages.sury.org/php bullseye InRelease [6,841 B]
Get:29 https://repo.mysql.com/apt/debian bullseye/mysql-8.0 Sources [950 B]
Get:30 https://repo.mysql.com/apt/debian bullseye/mysql-8.0 amd64 Packages [8,596 B]
Get:31 https://repo.mysql.com/apt/debian bullseye/mysql-tools amd64 Packages [7,932 B]
Get:32 https://apt.postgresql.org/pub/repos/apt bullseye-pgdg/main amd64 Packages [445 kB]
Get:33 https://packages.sury.org/php bullseye/main amd64 Packages [376 kB]
Get:34 https://packages.cloud.google.com/apt apt-transport-artifact-registry-stable InRelease [5,094 B]
Get:35 https://packages.cloud.google.com/apt gcsfuse-stretch InRelease [5,006 B]
Get:36 https://packages.cloud.google.com/apt cloud-sdk-bullseye InRelease [6,400 B]
Get:37 https://apt.releases.hashicorp.com bullseye InRelease [12.9 kB]
Get:38 https://packages.cloud.google.com/apt gcsfuse-stretch/main amd64 Packages [2,217 B]
Get:39 https://packages.cloud.google.com/apt cloud-sdk-bullseye/main amd64 Packages [280 kB]
Get:40 https://apt.releases.hashicorp.com bullseye/main amd64 Packages [102 kB]
Get:1 https://us-apt.pkg.dev/projects/demosite-images demosite-apt InRelease [1,094 B]
Get:41 https://us-apt.pkg.dev/projects/demosite-images demosite-apt/main amd64 Packages [41.3 kB]
Reading package lists... Done
E: The repository 'https://ftp.debian.org/debian stretch Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://ftp.debian.org/debian stretch-backports Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://ftp.debian.org/debian stretch-updates Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
N: Repository 'https://deb.debian.org/debian bullseye InRelease' changed its 'Version' value from '11.6' to '11.7'
********************************************************************************
You are running apt-get inside of Cloud Shell. Note that your Cloud Shell
machine is ephemeral and no system-wide change will persist beyond session end.
To suppress this warning, create an empty ~/.cloudshell/no-apt-get-warning file.
The command will automatically proceed in 5 seconds or on any key.
Visit https://cloud.google.com/shell/help for more information.
********************************************************************************
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
vault
0 upgraded, 1 newly installed, 0 to remove and 78 not upgraded.
Need to get 51.8 MB of archives.
After this operation, 179 MB of additional disk space will be used.
Get:1 https://apt.releases.hashicorp.com bullseye/main amd64 vault amd64 1.13.2-1 [51.8 MB]
Fetched 51.8 MB in 1s (36.9 MB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package vault.
(Reading database ... 142190 files and directories currently installed.)
Preparing to unpack .../vault_1.13.2-1_amd64.deb ...
Unpacking vault (1.13.2-1) ...
Setting up vault (1.13.2-1) ...
Generating Vault TLS key and self-signed certificate...
Generating a RSA private key
..............................................................++++
............++++
writing new private key to 'tls.key'
-----
Vault TLS key and self-signed certificate have been generated in '/opt/vault/tls'.
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault
Usage: vault <command> [args]
Common commands:
read Read data and retrieves secrets
write Write data, configuration, and secrets
delete Delete secrets and configuration
list List data or secrets
login Authenticate locally
agent Start a Vault agent
server Start a Vault server
status Print seal and HA status
unwrap Unwrap a wrapped secret
Other commands:
audit Interact with audit devices
auth Interact with auth methods
debug Runs the debug command
events
kv Interact with Vault's Key-Value storage
lease Interact with leases
monitor Stream log messages from a Vault server
namespace Interact with namespaces
operator Perform operator-specific tasks
patch Patch data, configuration, and secrets
path-help Retrieve API help for paths
pki Interact with Vault's PKI Secrets Engine
plugin Interact with Vault plugins and catalog
policy Interact with policies
print Prints runtime configurations
secrets Interact with secrets engines
ssh Initiate an SSH session
token Interact with tokens
transit Interact with Vault's Transit Secrets Engine
version-history Prints the version history of the target Vault server
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
Task 2. Start the Vault server
With Vault installed, the next step is to start a Vault server.
Vault operates as a client/server application. The Vault server is the only piece of the Vault architecture that interacts with the data storage and backends. All operations done via the Vault CLI interact with the server over a TLS connection.
In this lab, you will start and interact with the Vault server running in development mode.
This dev-mode server requires no further setup, and your local vault CLI will be authenticated to talk to it. This makes it easy to experiment with Vault or start a Vault instance for development. Every feature of Vault is available in “dev” mode. The -dev flag just short-circuits a lot of setup to insecure defaults.
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault server -dev
==> Vault server configuration:
Api Address: http://127.0.0.1:8200
Cgo: disabled
Cluster Address: https://127.0.0.1:8201
Environment Variables: ACTIVE_CUSTOM_IMAGE, API_DOGFOOD, ASPNETCORE_URLS, BASHRC_GOOGLE_PATH, BASHRC_PATH, BROWSER, CLOUDSDK_CONFIG, CLOUDSDK_DIAGNOSTICS_HIDDEN_PROPERTY_ALLOWLIST, CLOUDSDK_DIAGNOSTICS_HIDDEN_PROPERTY_WHITELIST, CLOUDSDK_PYTHON, CLOUDSHELL_ENVIRONMENT, CLOUDSHELL_OPEN_DIR, CLOUD_SHELL, CLOUD_SHELL_IMAGE_VERSION, CREDENTIALS_SERVICE_PORT, CUSTOM_ENVIRONMENT, DEVSHELL_CLIENTS_DIR, DEVSHELL_GCLOUD_CONFIG, DEVSHELL_IP_ADDRESS, DEVSHELL_PROJECT_ID, DEVSHELL_SERVER_URL, DOCKER_HOST, DOTNET_SKIP_FIRST_TIME_EXPERIENCE, GCE_METADATA_HOST, GEM_HOME, GEM_PATH, GODEBUG, GOOGLE_CLOUD_PROJECT, GOOGLE_CLOUD_QUOTA_PROJECT, GOOGLE_CLOUD_SHELL, GOPATH, HISTFILESIZE, HISTSIZE, HOME, JAVA_HOME, LANG, LOGNAME, LS_COLORS, MINIKUBE_FORCE_SYSTEMD, MINIKUBE_HOME, MINIKUBE_WANTUPDATENOTIFICATION, PATH, PROMPT_COMMAND, PS1, PWD, SHELL, SHLVL, SSH_CLIENT, SSH_CONNECTION, SSH_TTY, TERM, TMUX, TMUX_PANE, TRUSTED_ENVIRONMENT, USER, USER_EMAIL, USE_CLOUD_SDK_PYTHON3, USE_GKE_GCLOUD_AUTH_PLUGIN, V2V_GCP_V2V_IMAGE, WEB_HOST, _, __TMP_CLOUDSDK_CONFIG
Go Version: go1.20.3
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level:
Mlock: supported: true, enabled: false
Recovery Mode: false
Storage: inmem
Version: Vault v1.13.2, built 2023-04-25T13:02:50Z
Version Sha: b9b773f1628260423e6cc9745531fd903cae853f
==> Vault server started! Log data will stream in below:
2023-05-01T03:30:56.175Z [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""
2023-05-01T03:30:56.175Z [WARN] no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2023-05-01T03:30:56.176Z [INFO] core: Initializing version history cache for core
2023-05-01T03:30:56.176Z [INFO] core: security barrier not initialized
2023-05-01T03:30:56.176Z [INFO] core: security barrier initialized: stored=1 shares=1 threshold=1
2023-05-01T03:30:56.177Z [INFO] core: post-unseal setup starting
2023-05-01T03:30:56.202Z [INFO] core: loaded wrapping token key
2023-05-01T03:30:56.202Z [INFO] core: successfully setup plugin catalog: plugin-directory=""
2023-05-01T03:30:56.202Z [INFO] core: no mounts; adding default mount table
2023-05-01T03:30:56.203Z [INFO] core: successfully mounted: type=cubbyhole version="v1.13.2+builtin.vault" path=cubbyhole/ namespace="ID: root. Path: "
2023-05-01T03:30:56.203Z [INFO] core: successfully mounted: type=system version="v1.13.2+builtin.vault" path=sys/ namespace="ID: root. Path: "
2023-05-01T03:30:56.203Z [INFO] core: successfully mounted: type=identity version="v1.13.2+builtin.vault" path=identity/ namespace="ID: root. Path: "
2023-05-01T03:30:56.204Z [INFO] core: successfully mounted: type=token version="v1.13.2+builtin.vault" path=token/ namespace="ID: root. Path: "
2023-05-01T03:30:56.205Z [INFO] rollback: starting rollback manager
2023-05-01T03:30:56.205Z [INFO] core: restoring leases
2023-05-01T03:30:56.206Z [INFO] expiration: lease restore complete
2023-05-01T03:30:56.208Z [INFO] identity: entities restored
2023-05-01T03:30:56.208Z [INFO] identity: groups restored
2023-05-01T03:30:56.209Z [INFO] core: Recorded vault version: vault version=1.13.2 upgrade time="2023-05-01 03:30:56.208972778 +0000 UTC" build date=2023-04-25T13:02:50Z
2023-05-01T03:30:56.438Z [INFO] core: post-unseal setup complete
2023-05-01T03:30:56.438Z [INFO] core: root token generated
2023-05-01T03:30:56.438Z [INFO] core: pre-seal teardown starting
2023-05-01T03:30:56.438Z [INFO] rollback: stopping rollback manager
2023-05-01T03:30:56.438Z [INFO] core: pre-seal teardown complete
2023-05-01T03:30:56.439Z [INFO] core.cluster-listener.tcp: starting listener: listener_address=127.0.0.1:8201
2023-05-01T03:30:56.439Z [INFO] core.cluster-listener: serving cluster requests: cluster_listen_address=127.0.0.1:8201
2023-05-01T03:30:56.439Z [INFO] core: post-unseal setup starting
2023-05-01T03:30:56.439Z [INFO] core: loaded wrapping token key
2023-05-01T03:30:56.439Z [INFO] core: successfully setup plugin catalog: plugin-directory=""
2023-05-01T03:30:56.439Z [INFO] core: successfully mounted: type=system version="v1.13.2+builtin.vault" path=sys/ namespace="ID: root. Path: "
2023-05-01T03:30:56.440Z [INFO] core: successfully mounted: type=identity version="v1.13.2+builtin.vault" path=identity/ namespace="ID: root. Path: "
2023-05-01T03:30:56.440Z [INFO] core: successfully mounted: type=cubbyhole version="v1.13.2+builtin.vault" path=cubbyhole/ namespace="ID: root. Path: "
2023-05-01T03:30:56.440Z [INFO] core: successfully mounted: type=token version="v1.13.2+builtin.vault" path=token/ namespace="ID: root. Path: "
2023-05-01T03:30:56.441Z [INFO] rollback: starting rollback manager
2023-05-01T03:30:56.441Z [INFO] core: restoring leases
2023-05-01T03:30:56.441Z [INFO] expiration: lease restore complete
2023-05-01T03:30:56.441Z [INFO] identity: entities restored
2023-05-01T03:30:56.441Z [INFO] identity: groups restored
2023-05-01T03:30:56.441Z [INFO] core: post-unseal setup complete
2023-05-01T03:30:56.441Z [INFO] core: vault is unsealed
2023-05-01T03:30:56.443Z [INFO] core: successful mount: namespace="" path=secret/ type=kv version=""
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variables:
$ export VAULT_ADDR='http://127.0.0.1:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: qc5xNrq79dguYMUwta3wMD5GpdKX1mD6l9Astk9tSzE=
Root Token: hvs.QSsv5RT1GNZQzl8XMdK26Y5p
Development mode should NOT be used in production installations!
Welcome to Cloud Shell! Type "help" to get started.
Your Cloud Platform project in this session is set to qwiklabs-gcp-02-e8fc74852051.
Use “gcloud config set project [PROJECT_ID]” to change to a different project.
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ export VAULT_ADDR='http://127.0.0.1:8200'
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ export VAULT_TOKEN="hvs.QSsv5RT1GNZQzl8XMdK26Y5p"
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.13.2
Build Date 2023-04-25T13:02:50Z
Storage Type inmem
Cluster Name vault-cluster-7a581ccf
Cluster ID ceb6fe1f-6f63-57f6-b659-023265fae3c2
HA Enabled false
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
Task 3. Authentication in Vault
Before a client can interact with Vault, it must authenticate against an auth method. Upon authentication, a token is generated. This token is conceptually similar to a session ID on a website. The token may have attached policy, which is mapped at authentication time. This process is described in detail in the policies concepts documentation.
Auth methods
Vault supports a number of auth methods. Some backends are targeted toward users while others are targeted toward machines. Most authentication backends must be enabled before use. Often you will see authentications at the same path as their name, but this is not a requirement.
To learn more about authentication, you could use the built-in path-help command:
Task 4. AppRole auth method overview
The approle auth method allows machines or apps to authenticate with Vault-defined roles. The open design of AppRole enables a varied set of workflows and configurations to handle large numbers of apps. This auth method is oriented to automated workflows (machines and services), and is less useful for human operators.
An “AppRole” represents a set of Vault policies and login constraints that must be met to receive a token with those policies. The scope can be as narrow or broad as desired. An AppRole can be created for a particular machine, or even a particular user on that machine, or a service spread across machines. The credentials required for successful login depend upon the constraints set on the AppRole associated with the credentials.
Task 5. Using the AppRole auth method
Before a client can interact with Vault, it must authenticate against an auth method to acquire a token. This token has policies attached so that the behavior of the client can be governed.
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault kv put secret/mysql/webapp db_name="users" username="admin" password="passw0rd"
====== Secret Path ======
secret/data/mysql/webapp
======= Metadata =======
Key Value
--- -----
created_time 2023-05-01T03:36:37.234342043Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault auth enable approle
Success! Enabled approle auth method at: approle/
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault policy write jenkins -<<EOF
# Read-only permission on secrets stored at 'secret/data/mysql/webapp'
path "secret/data/mysql/webapp" {
capabilities = [ "read" ]
}
EOF
Success! Uploaded policy: jenkins
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
tudent_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault write auth/approle/role/jenkins token_policies="jenkins" \
token_ttl=1h token_max_ttl=4h
Success! Data written to: auth/approle/role/jenkins
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault read auth/approle/role/jenkins
Key Value
--- -----
bind_secret_id true
local_secret_ids false
secret_id_bound_cidrs <nil>
secret_id_num_uses 0
secret_id_ttl 0s
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 4h
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [jenkins]
token_ttl 1h
token_type default
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault read auth/approle/role/jenkins/role-id
Key Value
--- -----
role_id b1100531-45d5-4377-b2b2-0ed2800cdbd0
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault write -force auth/approle/role/jenkins/secret-id
Key Value
--- -----
secret_id fd69d16f-0987-8f75-aa4d-96024042fa5e
secret_id_accessor 5986a1c5-c1c4-3562-39fe-32211ce4a046
secret_id_num_uses 0
secret_id_ttl 0s
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault write auth/approle/login role_id="b1100531-45d5-4377-b2b2-0ed2800cdbd0" secret_id="fd69d16f-0987-8f75-aa4d-96024042fa5e"
Key Value
--- -----
token hvs.CAESIG6RnEM9YgjIJGCM5KEsmLKAHAnkReYnkHauLaIL7ER6Gh4KHGh2cy5QMDk1alNNQmZNM29HR1Y3cXlBUVlKUDc
token_accessor F1kacBTUBSt10AFz21yyyBjt
token_duration 1h
token_renewable true
token_policies ["default" "jenkins"]
identity_policies []
policies ["default" "jenkins"]
token_meta_role_name jenkins
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ export APP_TOKEN="hvs.CAESIG6RnEM9YgjIJGCM5KEsmLKAHAnkReYnkHauLaIL7ER6Gh4KHGh2cy5QMDk1alNNQmZNM29HR1Y3cXlBUVlKUDc"
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ VAULT_TOKEN=$APP_TOKEN vault kv get secret/mysql/webapp
====== Secret Path ======
secret/data/mysql/webapp
======= Metadata =======
Key Value
--- -----
created_time 2023-05-01T03:36:37.234342043Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
====== Data ======
Key Value
--- -----
db_name users
password passw0rd
username admin
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ VAULT_TOKEN=$APP_TOKEN vault kv delete secret/mysql/webapp
Error deleting secret/data/mysql/webapp: Error making API request.
URL: DELETE http://127.0.0.1:8200/v1/secret/data/mysql/webapp
Code: 403. Errors:
* 1 error occurred:
* permission denied
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ VAULT_TOKEN=$APP_TOKEN vault kv get -format=json secret/mysql/webapp | jq -r .data.data.db_name > db_name.txt
VAULT_TOKEN=$APP_TOKEN vault kv get -format=json secret/mysql/webapp | jq -r .data.data.password > password.txt
VAULT_TOKEN=$APP_TOKEN vault kv get -format=json secret/mysql/webapp | jq -r .data.data.username > username.txt
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ export PROJECT_ID=$(gcloud config get-value project)
gsutil cp *.txt gs://$PROJECT_ID
Your active configuration is: [cloudshell-25088]
Copying file://db_name.txt [Content-Type=text/plain]...
Copying file://password.txt [Content-Type=text/plain]...
Copying file://README-cloudshell.txt [Content-Type=text/plain]...
Copying file://username.txt [Content-Type=text/plain]...
/ [4 files][ 934.0 B/ 934.0 B]
Operation completed over 4 objects/934.0 B.
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault write -wrap-ttl=60s -force auth/approle/role/jenkins/secret-id
Key Value
--- -----
wrapping_token: hvs.CAESIGuUZDy90s-sg32L8RhQ671bZMwZl5KmU9S_2y7oocTBGh4KHGh2cy5SWUx2R2MwVHBPWDZXdnlGQzRCdEpJbkE
wrapping_accessor: QjgxLTJ5epsZsmG7u94IG1Mj
wrapping_token_ttl: 1m
wrapping_token_creation_time: 2023-05-01 03:43:58.794753236 +0000 UTC
wrapping_token_creation_path: auth/approle/role/jenkins/secret-id
wrapped_accessor: fdfcb863-5a94-108b-c01a-7a10192394a7
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ VAULT_TOKEN="hvs.CAESIGuUZDy90s-sg32L8RhQ671bZMwZl5KmU9S_2y7oocTBGh4KHGh2cy5SWUx2R2MwVHBPWDZXdnlGQzRCdEpJbkE" vault unwrap
Key Value
--- -----
secret_id 9859ac70-8613-106a-9240-0e9a16c6809d
secret_id_accessor fdfcb863-5a94-108b-c01a-7a10192394a7
secret_id_num_uses 0
secret_id_ttl 0s
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault write auth/approle/role/jenkins token_policies="jenkins" \
token_ttl=1h token_max_ttl=4h \
secret_id_num_uses=10
Success! Data written to: auth/approle/role/jenkins
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault login -method=userpass -path=userpass-test \
username=bob password=training
WARNING! The VAULT_TOKEN environment variable is set! The value of this
variable will take precedence; if this is unwanted please unset VAULT_TOKEN or
update its value accordingly.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.CAESIBNWq9zLXV4qcqKIV_RyOrWMJF9pelpWQboFJOhnOrHbGh4KHGh2cy5LR2RtZnJuYW9tVU5mYVdrUkYxTTFHTkQ
token_accessor XEdoh8KkDd8QMv16s9xPEBoJ
token_duration 768h
token_renewable true
token_policies ["default" "test"]
identity_policies ["base"]
policies ["base" "default" "test"]
token_meta_username bob
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault token capabilities hvs.CAESIBNWq9zLXV4qcqKIV_RyOrWMJF9pelpWQboFJOhnOrHbGh4KHGh2cy5LR2RtZnJuYW9tVU5mYVdrUkYxTTFHTkQ secret/data/training_test
create, read
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault token capabilities hvs.CAESIBNWq9zLXV4qcqKIV_RyOrWMJF9pelpWQboFJOhnOrHbGh4KHGh2cy5LR2RtZnJuYW9tVU5mYVdrUkYxTTFHTkQ secret/data/team-qa
deny
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault login -method=userpass -path=userpass-qa \
username=bsmith password=training
WARNING! The VAULT_TOKEN environment variable is set! The value of this
variable will take precedence; if this is unwanted please unset VAULT_TOKEN or
update its value accordingly.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.CAESIPvlbvUhIMF2WtuFslLXlLokDK-w37MTSyokeRkXLgKKGh4KHGh2cy5hMUs4aVJMTVJxNE5PU05uNW45MHRpWGM
token_accessor 5EqWRTuemzwpnot67yQpgRNX
token_duration 768h
token_renewable true
token_policies ["default" "team-qa"]
identity_policies ["base"]
policies ["base" "default" "team-qa"]
token_meta_username bsmith
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$ vault login -method=userpass -path=userpass-test username=bob password=training
WARNING! The VAULT_TOKEN environment variable is set! The value of this
variable will take precedence; if this is unwanted please unset VAULT_TOKEN or
update its value accordingly.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.CAESIJomNjVSxvhc0w3YN7ek_efcQsynfGzyAk72FOlLcEUrGh4KHGh2cy55NXVhRmNGcUZEcmVOS2o0QzBYVDZndHY
token_accessor Vgle2QnZo9yrTsk87c2tqxcP
token_duration 768h
token_renewable true
token_policies ["default" "test"]
identity_policies ["base" "team-eng"]
policies ["base" "default" "team-eng" "test"]
token_meta_username bob
student_02_a5be9b1b005d@cloudshell:~ (qwiklabs-gcp-02-e8fc74852051)$
In this lab, you learned about the different types of authentication and used the AppRole auth method in Vault. You then created users with distinct policies, associated aliases as entity members to an entity with a base policy, and created an internal group with an entity member.
