Vault Agent allows easy authentication to Vault, this article is going to cover how to configure Vault JWT authentication auto authentication with Vault Agent.
-
Generate a private key using openssl. Type in the following command:
$ openssl genrsa -out private_key.pem 2048 -
Generate a public key using openssl. Type the following command:
$ openssl rsa -in private_key.pem -outform PEM -pubout -out publi-
openssl genrsa -out private_key.pem 2048 -
c_key.pem -
-
Enable jwt authentication from Vault server by using the following command in a terminal/command prompt:
$ vault auth enable jwt -
Configure Vault JWT authentication with the following command. Role name demo is used as an example only. Any name can be used for role name:
$ vault write auth/jwt/config jwt_supported_algs=RS256 jwt_validation_pubkeys=@public_key.pem default_role="demo" -
Create the named role in step above, set default policies as a example:
$ vault write auth/jwt/role/demo \
policies="default" \
user_claim="sub" \
role_type="jwt" \
bound_audiences="test"
-
policies(array: [] or comma-delimited string: "")- List of token policies to encode onto generated tokens. -
user_claim(string: <required>)- The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. The claim value must be a string. -
role_type(string: <optional>)- Type of role, either "oidc" (default) or "jwt". -
bound_audiences(array: <optional>)- List ofaudclaims to match against. Any match is sufficient. For "jwt" roles, at least one ofbound_audiences,bound_subject,bound_claimsortoken_bound_cidrsis required. Optional for "oidc" roles.
6. Now is to generate the JWT to use for the authentication. When generating make sure the following is in the JWT body. Values are based on the example we use so please change as needed:
{
"sub" : "sub",
"name" : "owen",
"nbf": 1691380859,
"exp": 1723070519,
"aud": "test"
}
7. Save the newly generated JWT token to a txt file echo eyJhbGciOiJSUzI1NiIsInR5 > jwt.txt. For more detail steps on how to generate a JWT token, please refer to this article.
8. Test JWT authentication by trying to log in:
$ vault write auth/jwt/login role=demo jwt=@jwt.txt
9. Create agent-config.hcl as follows:
exit_after_auth = false
pid_file = "./pidfile"
auto_auth {
method "jwt" {
mount_path = "auth/jwt"
config = {
path = "vault_jwt/vault_azure_jwt/agent/jwt.txt"
role = "demo"
remove_jwt_after_reading = "false"
}
}
sink "file" {
config = {
path = "/vault_jwt/vault_azure_jwt/agent/vaultToken"
}
}
}
vault {
address = "http://127.0.0.1:8200"
}
If you plan to use reuse same JWT token, set remove_jwt_after_reading to false in Vault configuration since default is true.
10. Create a text file with the JWT generated from Step 7 and save it to the path specified in the agent-client.hcl.
11. Run the following command to start the agent:
$ vault agent -config=agent-config.hcl
12. Successful authentication output:
==> Vault Agent started! Log data will stream in below:
==> Vault Agent configuration:
Cgo: disabled
Log Level:
Version: Vault v1.13.2+ent, built 2023-04-25T19:30:45Z
Version Sha: ca5ea376af76440caa5e82e9b659b9e7c09268b4
2023-08-07T16:14:59.013-0700 [INFO] agent.sink.file: creating file sink
2023-08-07T16:14:59.014-0700 [INFO] agent.sink.file: file sink configured: path=jwtToken mode=-rw-r-----
2023-08-07T16:14:59.014-0700 [INFO] agent.auth.jwt: jwt auth method created: path=/Users/owenzhang/vault_jwt/vault_azure_jwt/agent/jwt.txt
2023-08-07T16:14:59.014-0700 [INFO] agent.template.server: starting template server
2023-08-07T16:14:59.014-0700 [INFO] agent.sink.server: starting sink server
2023-08-07T16:14:59.014-0700 [INFO] agent.template.server: no templates found
2023-08-07T16:14:59.014-0700 [INFO] agent.auth.handler: starting auth handler
2023-08-07T16:14:59.014-0700 [INFO] agent.auth.handler: authenticating
2023-08-07T16:14:59.322-0700 [INFO] agent.auth.handler: authentication successful, sending token to sinks
2023-08-07T16:14:59.322-0700 [INFO] agent.auth.handler: starting renewal process
2023-08-07T16:14:59.365-0700 [INFO] agent.sink.file: token written: path=jwtToken
2023-08-07T16:14:59.471-0700 [INFO] agent.auth.handler: renewed auth token
Vault token is stored in the sink location /vault_jwt/vault_azure_jwt/agent/vaultToken.
Reference