vault | Implementation of the Autopilot Pattern for HashiCorp | Identity Management library
kandi X-RAY | vault Summary
kandi X-RAY | vault Summary
Hashicorp Vault deployment designed for automated operation using the Autopilot Pattern. This repo serves as a blueprint demonstrating the pattern that can be reused as part of other application stacks.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of vault
vault Key Features
vault Examples and Code Snippets
Community Discussions
Trending Discussions on vault
QUESTION
I don't understand how to apply hashicorp vault to inject secrets in my app.
The following link shows a couple of examples https://www.vaultproject.io/docs/platform/k8s/injector/examples
I used the environment variables example from the same post. But it seems not all the env variables are injected into the app. For instance, ENVs in one of my layouts don't seem to get applied meta property="og:title" content="#{ENV['NAME']}"
- shows no value. But the app is running, /vault/secrets/... has files with contents.
Here's a part of the Deployment config of my app.
When there're multiple secrets/templates, the Deployment is going to look ugly.
There's absolutely no description for configmap example but this is probably what I should be using instead of env.
...ANSWER
Answered 2021-Apr-18 at 18:36If you want to inject the vault secret into the deployment pod what you can do
There is one great project on Github Vault-CRD in java: https://github.com/DaspawnW/vault-crd
Vault CRD for sharing Vault Secrets with Kubernetes. It injects & sync values from Vault to Kubernetes secret. You can use these secrets as environment variables inside pod.
the flow goes something like : vault to Kubernetes secret > and that secrets get injected into deployment using YAML same as configmap
apart from this there is also another nice method of sidecar pattern.
for that, there is a very nice tutorial: https://github.com/hashicorp/hands-on-with-vault-on-kubernetes
another one : https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar
QUESTION
I have .Net 4.6.1 app that needs to access some secrets from Azure Key Vault and I am doing it in the following manner:
...ANSWER
Answered 2021-Jun-14 at 02:24Is it the local path to the certificate that is downloaded as CER/PEM format from Azure Key Vault ?
"clientCertificatePath
is the path to a file which contains both the client certificate and private key." It always is the local path, but if you store it to OneDrive the path will format like "C:\Users\myuser\OneDrive - Microsoft\Documents\Certs".
if I am operating in private cloud, does it really matter (client secret / client certificate)?
In short, certificate is more secure than secret but it's complex to use. Which one you choose depends on your requirement. In my opinion, client secret can protect the Azure Key Vault when updating secret every few months.
There are the pros and cons of client secret and client certificate:
Client secret:
Pro: Easy to deploy - just takes some code and a secure data store. Depending on the security policy, can autogenerate passwords or force new users to create them.
Pro: Easy to administrate - password resets can (for some security policies) be done with automated tools
Con: For good security, passwords should be reset early and often. User's forgetting or failing to change passwords is either a security risk or a usability hassle.
Con: Good passwords can be hard to remember, which leads to the issues of users reusing passwords or writing them down.
Con: Password data stores are a weak point - if an intruder gets the password store, he gets the motherload.
Con: All parts of password transmission can lead to exposure - websites that store passwords locally for ease of use, internal server components that transmit in the clear, log files in COTS products that store passwords in the clear. With the secret being part of the transmission, you're only as strong as your weakest link - it takes serious effort to prevent exposure and the requirement is on both the user and the system developer.
Certificates:
Pro: Doesn't require the transmission of the secret. Proof of private key contains no secret information - mitigates all sorts of storage/transmission weak points.
Pro: Issued by a trusted party (the CA) which allows for a centralized management system for status across multiple applications. If a cert goes bad, it can get revoked. Fixing a password breakin must be done separately for each system unless a shared ID is used.
Pro: Non-repudiation case is stronger - in most password systems, the way the user is initially authenticated prior to account creation is pretty weak and the password reset mechanisms can offer another factor of plausible deniability. With many forms of certificate issuance, it's far harder for a user to say it wasn't them. Caveat - you're still only as good as your CA's issuance policies.
Pro: Serves more purposes than just authentication - can provide integrity and confidentiality as well.
Con: Still requires a password/pin - almost any private key pair storage mechanism is then unlocked with a PIN. SmartCards can have tamper protection and lockout capabilities to prevent brute force, but that doesn't fix the fact the user wrote his PIN on a sticky note next to the computer where the card is docked. Sometimes password issues reappear on a smaller scale with PKI.
Con: Complexity of infrastructure - setting up a PKI is no easy task and generally so expensive in both deployment and maintenance that it can only be used for large/expensive systems.
Con: Certificate Status reporting and updates are not easy - revoking a user credential that has become corrupted is onerous due to the size and complexity of the infrastructure. Usually, a CA generates a CRL that may or may not be provisioned within an OCSP server. Then every application should check every login for the CRL or OCSP status. This introduces a variety of time delays into the system between the time a PKI credential is reported as compromised and the time when the systems that rely on that credential actually start denying access. The speed of status update can be accelerated - but at a greater system complexity cost.
QUESTION
In the Azure Portal, one can look-up an Azure AD object based on the Object ID as shown below:
Is it possible to retrieve an Azure AD object by the Object ID using the Azure CLI?
In order to use the Azure CLI to get the object related to the object ID, it appears that I need to know in advance if the related resource is a user, group, device, app registration, etc., in order to get the details. For example, if I know the Object ID is a user, I can use az ad user show --id
. If all I have is the Object ID, I don't know the 'type' of the object, yet somehow the Portal can figure this out!
While I'd prefer an Azure CLI solution, an Azure PowerShell solution would be better than nothing. I am asking the question because I'm trying to generate a list of access policies within key vault using az keyvault list
, but the access policy list from that CLI command just shows Object IDs for each policy... I have no way of determining if the objects are users, groups, etc.
ANSWER
Answered 2021-Jun-14 at 02:01If you want to get Azure AD resource with its object id, we can use the following Microsoft Graph API
QUESTION
Small question regarding Spring Cloud Config Client and Server, especially in the scenario when BOTH are mTLS enabled.
First of all, the server. On server side, since he is the first that has to be up, server has in properties file, the keystore and truststore, alongside passwords, in order to start mTLS.
Now, the client. The reason to chose Spring Cloud Config in the first place is that we can store properties in git, Vault, etc...
That way, the property file of client should be super light, just enough information to connect to the server, such as just spring.config.import=optional:configserver:http://localhost:8888
However, when mTLS is enabled at server side, then, by definition, the client needs the proper keystore and truststore (that is store in Git, Vault)
This is I believe a chicken end egg problem, since: In order to start the client, client needs to retrieve the keystore and truststore and password from Git, Vault, by connecting to the server.
But in order to connect to the server, it needs keystore and truststore and password.
Currently, it can work if on client side, the basic property file has
...ANSWER
Answered 2021-Jun-13 at 04:25Per Spring Team, nothing can be done.
https://github.com/spring-cloud/spring-cloud-config/issues/1867
QUESTION
I have a python script running on an Ubuntu Linux virtual machine that needs to access a KeyVault in Azure. If have configured the following environment variables based on an "App Registration".
...ANSWER
Answered 2021-Jun-11 at 15:56What am I missing here?
There are a few issues here:
You're trying to assign an RBAC role to an App Registration. What you need to do is assign an RBAC role to the Service Principal. To get the Service Principal Id, you would need to go to
Enterprise Applications
section in Azure AD and find the Id of your Service Principal (Object ID).Assigning
Reader
RBAC role will not do the trick as this role is for managing the Key Vault itself and not the data inside it. There are two ways to solve this:
- Use Access Policies: You can define appropriate access policies in your Azure Key Vault to give access to keys, secrets and certificates to your Service Principal.
- Use Data RBAC Roles: Instead of using Management RBAC roles (like Reader, Contributor etc.), you will need to use RBAC roles for managing data inside the Key Vault.
Please see this link for more details: https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal.
QUESTION
We currently use the Azure key vault product to secure our database credentials for an app hosted in Azure. For local development, we still use the appsettings.json file to store our database credentials, which results in extra logic in our app to get database credentials from different places based on our environment (development or production). Is this the right approach or should we just get our test credentials from the key vault regardless of the environment? Since getting to the key vault requires some extra http calls to Azure we figured that we would avoid the extra cost where possible. Any thought on this?
...ANSWER
Answered 2021-Jun-11 at 12:48Since you have dev non prod environment I would not care much, since main idea of keyvault is to get properties.
In my development Java usually for local development I have properties in config file then when as soon as we deploy to azure we switch on Key vault, its not much about cost its also about flexibility I want to be able to develop offline.
QUESTION
ANSWER
Answered 2021-Jun-11 at 09:29We can find webhook activity configure details here.
QUESTION
Windows 7 PC
- Installed Git (includes Git Bash console)
- Opened console and typed command to clone a Git repo.
- Got a warning to install .Net Framework, but wanted to install that later, so hit cancel and got the old school default username and password separate login popups (NOT the new Git Credentials popup)
- typed my user and password into the old school popups and it logged in and then properly cloned the repo to my local workspace
- Installed .NetFramework and restarted computer as necessary
- Opened Git Bash, tried to run a command that requires git login (git pull, git push, etc) and the command console freezes at that point. I would expect the new Git Credentials Manager popup to come up so I can login, but it never comes up. Neither does the old school login popup. Therefore, I cannot log in to Git, and so all actions requiring login cannot proceed.
I tried:
- restarting computer
- uninstalling and reinstalling git
- repairing .netframework
- looking for saved credentials (couldn't find anything). there should not be any saved credentials anyway since I used the old school authentication login which doesn't save them, AFAIK.
I've gone through all this before on another computer and didn't run into this. That time, after installing .netframework, when I tried a git command requiring login, the new Git Credentials Manager popped up (after which it then saved my credentials)
Searched Google and Stack Overflow / exchange etc and could not find this exact issue anywhere. Most questions were about how to stop the popup from showing and to save credentials, which is exactly the opposite issue of mine.
Note: Windows 7 should not be the issue because I've done this on a Win 7 PC without issue.
So, how do I Force a Git login popup to show up (either the new one or the old school one)?
EDIT: Tried a variety of things, still can't get the new token authentication popup, but here's what I tried and where I'm at now:
I decided to look in Windows Programs area, and did not find Git Credential Manager, which is odd because it's included with Git and I just installed Git. Anyway, downloaded and installed the standalone git credentials manager.
Then tried these: git config --global credential.helper manager-core git config --global credential.helperselector.selected manager-core
and got: warning: credential.helper has multiple values (and I forget the other error lines but it said something about using --replace-all to fix)
so I did: git config --global --replace-all credential.helper manager-core
and that gave no errors and seemed to do something
then I ran: git config --global credential.helperselector.selected manager-core
Then I did git push, and it automatically pushed without asking my credentials at all, which is really confusing.
So, I have still failed to get the new Token Authentication popup. This is incredibly frustrating...
EDIT 2: The plight continues Since Git Push worked without asking for creds, I realized the popup I want may not be showing up because Windows Credential Manager may already have the creds I typed previously. So I went to Windows Credential Manager, found them, and removed them from the vault.
Then I tried git pull and I finally got the NEW Token Authentication popup. My hopes skyrocketed. I entered my Token. Then my hopes were crushed when the terminal gave the following errors:
fatal: An error occurred while sending the request. fatal: The request was aborted: Could not create SSL/TLS secure channel.
EDIT 3 - SOLVED! Followed the instructions in the accepted answer below. Once I got the new token cred manager coming back up, I had to enable TLS 1.2 on my Windows 7 PC. I had the newest .net framework version, but I had to edit the registry to add a key to enable TLS 1.2. After backing up my registry, I then followed these instructions: https://help.runbox.com/enabling-tls-1-2-on-windows-7/
After restarting my computer, the TLS 1.2 was enabled, and when I got the token cred manager popup, I entered my token, it was accepted, and the popup went away. Now my creds are saved and using the new more secure token authentication.
...ANSWER
Answered 2021-Jun-10 at 05:13I would expect the new Git Credentials Manager popup to come up so I can login, but it never comes up.
For that, you would need at least to instruct Git to use it:
QUESTION
The Corda vault API contains a class called CommonQueryCriteria which is implemented like so:
...ANSWER
Answered 2021-Jun-09 at 09:29This was introduced to support querying of accounts back in Corda 4.3: https://github.com/corda/accounts/blob/master/docs.md#querying-the-vault-by-account
The Vault Query documentation mentions this new attribute right at the bottom of the page when discussing owning keys: https://docs.corda.net/docs/corda-os/4.8/api-vault-query.html#mapping-owning-keys-to-external-ids
Admittedly it is not very clear and should reference CommonQueryCriteria
(not VaultQueryCriteria
) and show an example.
QUESTION
I'm a novice Python user and am having trouble resolving a key error. I have checked similar questions but am still unable to resolve my issue. Below is the error, followed by the code. I'd appreciate any insights.
...ANSWER
Answered 2021-Jun-09 at 02:03It looks like you're trying to set the headers for the dataframe (if I'm guessing right). If that's the case, you can just pass the names in when creating the dataframe by passing in the columns
keyword argument, like so:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install vault
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page