Detailed reading on Vault Password policies can be found here . This document will only concentrate on the default password policy in vault and how to define a custom password policy and an example of how it can be applied.
Secret Engines in Vault allow management of Dynamic Credentials and Static Credentials. In both these cases, the passwords are generated by Vault.
The passwords that are generated by Vault can be customized. This customization can be done via a Password Policy and is similar in concept to ACL policies in Vault.
Password Policy is defined as "A set of instructions on how to generate a password, similar to other password generators." Password policies is available from Vault version 1.5 and is available on both Community and Enterprise editions of Vault.
Password policies are defined in HCL or JSON which defines the length of the password and a set of rules a password must adhere to.
If no password is explicitly specified, Vault has a default password policy that gets applied.
1. Default Password policy is defined as follows,
20 characters with at least 1 uppercase, 1 lowercase, 1 number, and 1 dash character.
In a code snippet as a HCL file, the default password policy is defined as follows,
length = 20
rule "charset" {
charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
min-chars = 1
}
rule "charset" {
charset = "abcdefghijklmnopqrstuvwxyz"
min-chars = 1
}
rule "charset" {
charset = "0123456789"
min-chars = 1
}
rule "charset" {
charset = "-"
min-chars = 1
}
2. Custom Password policy -
a. Create a file `example_password_policy.hcl` with the following content
length = 30
rule "charset" {
charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
min-chars = 1
}
rule "charset" {
charset = "abcdefghijklmnopqrstuvwxyz"
min-chars = 1
}
rule "charset" {
charset = "0123456789"
min-chars = 1
}
rule "charset" {
charset = "-%^&*()_?/~`"
min-chars = 1
}
b. Create the password policy
vault write sys/policies/password/example_password_policy policy=@example_password_policy.hcl
c. Test the password generation to check if the password value has the characteristics defined in the password policy
vault read sys/policies/password/example_password_policy/generate -format=json |
jq -r .data
{
"password": "(P%rWlRQRUayIS_KUS%Nj36zw/wlzx"
}
d. Use the newly created password policy in a secret engine configuration
vault write database/config/postgresql \
plugin_name=postgresql-database-plugin \
connection_url="postgresql://{{username}}:{{password}}@$POSTGRES_URL/postgres" \
allowed_roles=readonly \
username=$POSTGRES_USERNAME \
password=$POSTGRES_PASSWORD \
password_policy="example_password_policy"
e. Generate a credential after setting up the role to see that the password field has the characteristics defined in the password policy.
vault read -format=json database/creds/readonly | jq -r .data
{
"password": "V~6n/o`Hpalq0LjY~aBwfX~Pkz^)UP",
"username": "v-token-readonly-Tdr3pbuOFSsHNbpbmJZN-1698632954"
}
References -
- https://developer.hashicorp.com/vault/docs/concepts/password-policies
- https://developer.hashicorp.com/vault/api-docs/system/policies-password
- https://developer.hashicorp.com/vault/docs/concepts/password-policies#candidate-password-generation