A Vault Tutorial. Part 3

Published: Feb 6, 2019 by Isaac Johnson

One can add other secrets engines. Secret engines are Vault’s extensibility model that allows a way to take data, do an action and return a result.  

For instance, if one would like to dynamically provision service principals in Azure, one can add the Azure engine (providing they have sufficient privileges in Azure)

Note: The Azure secret engine is about creating service principals.  Enabling Azure auth does not have anything to do with AKV

$ vault write azure/config \
> subscription_id= ******-**** - ****-**** - ********** \
> tenant_id= ******-**** - ****-**** - ********** \
> client_id= ******-**** - ****-**** - ********** \
> client_secret= *********************************
Success! Data written to: azure/config

$ vault write azure/roles/my-role ttl=1h max_ttl=24h azure_roles=-<<EOF
> [
> {
> "role_name": "Contributor",
> "scope": "/subscriptions/<uuid>/resourceGroups/Website"
> },
> {
> "role_id": "/subscriptions/<uuid>/providers/Microsoft.Authorization/roleDefinitions/<uuid>",
> "scope": "/subscriptions/<uuid>"
> },
> {
> "role_name": "This won't matter as it will be overwritten",
> "role_id": "/subscriptions/<uuid>/providers/Microsoft.Authorization/roleDefinitions/<uuid>",
> "scope": "/subscriptions/<uuid>/resourceGroups/Database"
> }
> ]

Secrets Engines example: databases

A powerful use of Vault Engines is interacting with Databases.  

For instance, during software validation, one may wish to dynamically create a temporary test user.

See a standard CI CD flow below.

Process in launching a database in a Continuous Deployment pipeline

Example with MongoDB:

First one can create a MongoDB instance using the free bitnami image on Azure (“MongoDB Certified by Bitnami”)

Once launch, add an inbound rule for port 27017.

The database password is in the boot diagnostics log.

Adding inbound port for MongoDB after launching
Determining db password after launch

Create the database entry and role.  Then you can use the “read” command to get a temporary user account

You can use Compass CLI, but I opted to download just the CLI.  You can sanity check your connectivity this way.

#sanity check with CLI
$ ~/Downloads/mongodb-osx-x86_64-3.6.2/bin/mongo mongodb://
MongoDB shell version v3.6.2
connecting to: mongodb://
MongoDB server version: 4.0.3
WARNING: shell and server versions do not match
Welcome to the MongoDB shell.

$ vault write database/config/my-azure-mongodb \
plugin_name=mongodb-database-plugin \
allowed_roles="my-role" \
connection_url="mongodb://:@" \
username="root" \

$ vault write database/roles/my-role \
> db_name=my-azure-mongodb \
> creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
> default_ttl="2h" \
> max_ttl="24h"
Success! Data written to: database/roles/my-role

$ vault read database/creds/my-role
Key Value
--- -----
lease_id database/creds/my-role/zquLtoyl8Mk6SvLyZoQeJFpH
lease_duration 2h
lease_renewable true
password A1a-U5JzyT5YBRHprZrF
username v-token-my-role-2Ph0kxLfI2gAE634ElHu-1546356485
tutorial vault

Have something to add? Feedback? Try our new forums

Isaac Johnson

Isaac Johnson

Cloud Solutions Architect

Isaac is a CSA and DevOps engineer who focuses on cloud migrations and devops processes. He also is a dad to three wonderful daughters (hence the references to Princess King sprinkled throughout the blog).

Theme built by C.S. Rhymes