Replies: 5 comments 5 replies
-
If it is not working like that I would probably do a workaround and install Vault Agent as proxy and let the masters talk to the local Vault agent with a token which never expires. (at least in theory..) But maybe it would work because at the moment I still got an error when I try it like menioned above but don't know why. If I use Approle with other Software it works. It tells me following error and I don't know why it would create a token other than I defined in the approle..
As I am quite new to salt I need to check how I can debug that and see what policies are tried.. |
Beta Was this translation helpful? Give feedback.
-
FYI use the Salt Vault Extension, it is much more up to date, and that is the way Salt is heading with 3008, see https://github.com/salt-extensions/saltext-vault |
Beta Was this translation helpful? Give feedback.
-
The Vault integration works under the following assumptions:
I'm pretty sure omitting the This fundamental architecture is not going to change. It would be fairly straightforward to disallow non-impersonated authentication requests though, for which you can create a feature request at https://github.com/salt-extensions/saltext-vault/issues. Note that pillar compilation can be a performance bottleneck for the master and minions only receive access to the secrets they are supposed to be able to read, so in general it's recommended for minions to do the lookups themselves. Be absolutely sure that the described behavior is what you need and be aware of the tradeoffs.
It's not recommended to access the Vault modules during regular
A minion is allowed access to any paths its policies allow it to, this question is not specific to the Vault integration. You can show policies a minion receives based on your master configuration via
In general, one would add a token/secret ID without a cap on the number of uses, but with one on the validity time. When using Salt 3007.x or the extension, the master automatically renews the current token during requests. While it does not have a dedicated renewal background process, the token is usually kept alive just by the base activity. Afaik you can use the
The common setups are documented in the guide you linked. I hope this post helps explain the concepts, but feel free to ask any further questions. |
Beta Was this translation helpful? Give feedback.
-
I didn't have that much time for that topic but anyway had some thoughts and was trying some things. Which I still don't get is the way how the secretID is used. So if anyone is accessing the Salt-Master then it could just read the secretid and roleid from the config file.. I also don't understand the usage of environment variable. In my eyes it should still work as every Vault Agents works - have a secretid only for startup which is revoked then and then it should renew its token by itself within the process - because anyone could read a file but injecting a process and get the secretid is more complicated. Or do I miss something? There is also something else but what is not certainly vault related. On every of 1000 or more minion someone could get easy all passwords which are usually not on the filesystem by calling |
Beta Was this translation helpful? Give feedback.
-
Hi @lkubb , thank you again for that fast response and help! I don't know that Vault agent also can provide a environment variable. I only know that it can sink token to file. There is a possibilty with environment variable but I only know that secrets can be set and that the salt-master then needs to be started by the vault agent in supervisor mode. Kind regards |
Beta Was this translation helpful? Give feedback.
-
How Vault is integrated into Vault?
According to following documentation I understand this example as all Minions need access to Vault, correct? -> https://salt-extensions.github.io/saltext-vault/topics/basic_configuration.html
But I don't want allow any Minion to access Vault. I want that only the Masters are allowed to access Vault and then I would write pillar files where I access a secret with:
But for this I also have configured it like in the basic configuration on the master at least. But I did not put the right to create vault app-roles. For me it should work like that:
BUT obviusly it doesn't work like that. At least for me. Can someone explain how that should be done because the documentation unfortunately does not explain it and the different options.
PS: I also would let master read all secrets and then use that as Pillar directly for the minions if that is possible without let each minion access the vault?! But I wonder then how I could tell that this minion is only allowed to read this certain data. With the way above I can at least tell in top.sls.
Kind regards
Mathias
Beta Was this translation helpful? Give feedback.
All reactions