Introduction:
This article covers how to co-relate audit logs between Boundary and Vault. Please note that the examples provided below are illustrative. "Scope-ID" or "auth method" should be used according to your environment.
Prerequisites:
- Boundary Controller v>=0.16
- If the Vault version is lower than 1.1.7.x then the x-header needs to be configured/enabled.
- The header is enabled by default in Vault v1.17.x.
Setup:
Configuring Header at the Vault level.
- Create payload.json
root#/var/log/bound# cat payload.json
{
"hmac":false
}
- Curl command to create a custom header.
root#/var/log/bound# curl --header "X-Vault-Token: <vault-token>" --request POST --data @payload.json http://<vault-address>:8200/v1/sys/config/auditing/request-headers/x-correlation-id
- Confirm the header creation.
root# vault read /sys/config/auditing/request-headers
Key Value
--- -----
headers map[x-correlation-id:map[hmac:false]]
root#
- Now connect to the database using Boundary with Vault as a credential broker.
root# boundary connect postgres -target-id ttcp_MEV21f9ZaK -dbname northwind
northwind=>
- Once the Database is connected, There is a corresponding correlation ID created in boundary event logs.
"correlation_id": "21f35c5c-9b27-81e4-72ef-529a4c10f8eb",
"id": "e_ct8FS4BXEh",
"request": {
"details": {
"id": "ttcp_MEV21f9ZaK"
}
- Using the custom header created previously, the vault creates the same correlation entry in vault audit logs.
request": {
"client_id": "DmITaYKGYFwS1GQg2ncPVnIRP5SrSyVIbqu4CgGsJwg=",
"client_token": "hmac-sha256:45d5647af573d2e72217c22f080c2ba184893062e00e0042aa5e615d7e23ce6b",
"client_token_accessor": "hmac-sha256:298d301150578a388d9f934d551a38c5c63f09fd8cdf6666f03bd49fb2046d66",
"id": "e1962e8d-53f8-6428-e25d-7e515c07ce6e",
"headers": {
"x-correlation-id": [
"21f35c5c-9b27-81e4-72ef-529a4c10f8eb”