Introduction
Expected Outcome
Create a Vault Approle that is limited to rotating its own secret-id and if desired has the capability to delete its secret ID accessor.
Use Case
Useful in case of workflow where self management of the secret id accessor for rotation or deletion is desired.
Procedures
Step 1. Create the policy 'rotate.hcl':
path "auth/approle/role/demo-reader/secret-id" {
capabilities = ["update"]
}
Step 2. Write the policy:
vault policy write rotate-my-secret-id rotate.hcl
Success! Uploaded policy: rotate-my-secret-i
Step 3. Enable approle and create the example app role, in this example 'Jenkins':
vault auth enable approle
vault write auth/approle/role/jenkins token_policies="rotate-my-secret-id" \
> token_ttl=1h token_max_ttl=4h
Success! Data written to: auth/approle/role/jenkins
Step 4. Read the role_id from the role:
vault read auth/approle/role/jenkins/role-id
Key Value
--- -----
role_id de172e54-902e-c5e9-ebce-9563f3f9bb64
vault read auth/approle/role/jenkins
Key Value
--- -----
bind_secret_id true
local_secret_ids false
secret_id_bound_cidrs <nil>
secret_id_num_uses 0
secret_id_ttl 0s
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 4h
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [rotate-my-secret-id]
token_ttl 1h
token_type default
Step 5. Create a secret-id:
vault write -f auth/approle/role/jenkins/secret-id
Key Value
--- -----
secret_id 7174d84b-5e3d-0eba-d878-bb7632829da1
secret_id_accessor 142613be-a23a-7fca-9c95-8596a149b714
Step 6. Login with the role:
vault write auth/approle/login role_id=de172e54-902e-c5e9-ebce-9563f3f9bb64 secret_id=7174d84b-5e3d-0eba-d878-bb7632829da1
Key Value
--- -----
token s.2M0FPR0DlHuXq0SFYJkZBcfN
token_accessor mZyeDeJDFUpsHScZKKUAkxdA
token_duration 1h
token_renewable true
token_policies ["default" "rotate-my-secret-id"]
identity_policies []
policies ["default" "rotate-my-secret-id"]
token_meta_role_name jenkins
Step 7. Login with the token
vault login
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.NrpODJ37FA5eMb5Nbd8oV1AB
token_accessor zSLIY8rOUD57tcwieNfaajrz
token_duration 57m19s
token_renewable true
token_policies ["default" "rotate-my-secret-id"]
identity_policies []
policies ["default" "rotate-my-secret-id"]
token_meta_role_name jenkins
Step 8. Verify you are logging in with the newly created token:
vault token lookup
Key Value
--- -----
accessor zSLIY8rOUD57tcwieNfaajrz
creation_time 1632267098
creation_ttl 1h
display_name approle
entity_id 503da234-d1d3-5f9a-9f26-4cb0f99eb165
expire_time 2021-09-21T17:31:38.097011-07:00
explicit_max_ttl 0s
id s.NrpODJ37FA5eMb5Nbd8oV1AB
issue_time 2021-09-21T16:31:38.097015-07:00
meta map[role_name:jenkins]
num_uses 0
orphan true
path auth/approle/login
policies [default rotate-my-secret-id]
renewable true
ttl 18m25s
type service
Step 9. Example of rotating the secret id and accessor:
vault write -force auth/approle/role/jenkins/secret-id
Key Value
--- -----
secret_id 6787375c-972f-5a7b-e2dd-31ca388681f2
secret_id_accessor e0d49ee9-73ef-a51c-2284-c97a50ce2deb
Step 10. In order to be able to manually delete secret-id-accessor(s) you'll need to modify the policy:
From:
path "auth/approle/role/jenkins/secret-id" {
capabilities = ["update"]
}
To:
path "auth/approle/role/jenkins/*" {
capabilities = ["create", "read", "update", "list" ]
}
Step 11. Look up the secret_id_accessor using the following command:
vault write auth/approle/role/jenkins/secret-id-accessor/lookup secret_id_accessor=b551bd1f-a0a8-32de-125d-855466e0a2ec
Key Value
--- -----
cidr_list []
creation_time 2021-09-21T16:21:31.58957-07:00
expiration_time 0001-01-01T00:00:00Z
last_updated_time 2021-09-21T16:21:31.58957-07:00
metadata map[]
secret_id_accessor 7f49ebb4-b721-4968-c2df-eaf7793d5b90
secret_id_num_uses 0
secret_id_ttl 0s
token_bound_cidrs []
Step 12. Test deletion of the secret_id using this command:
vault write auth/approle/role/jenkins/secret-id-accessor/destroy secret_id_accessor=7f49ebb4-b721-4968-c2df-eaf7793d5b90
Success! Data written to: auth/approle/role/jenkins/secret-id-accessor/destroy
Step 13. Validate deletion by attempting to lookup by the secret-id-accessor:
vault write auth/approle/role/jenkins/secret-id-accessor/lookup secret_id_accessor=95f6cb45-51dc-92e3-a0bf-7630804f4143
Error writing data to auth/approle/role/jenkins/secret-id-accessor/lookup: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/approle/role/jenkins/secret-id-accessor/lookupCode: 500. Errors:
* 1 error occurred:
* failed to find accessor entry for secret_id_accessor: "95f6cb45-51dc-92e3-a0bf-7630804f4143"
Conclusion: the secret-id-accessor no longer exists.
Additional Information
*One caveat to note regarding this approach is that this policy may be granting more administrative permissions than are needed. Proper scoping of the user(s) capabilities is needed to determine if this capability and those granted by the policy are within the intended scope of capabilities of the account.