Breakglass is a tool that will make API calls to Hashicorp Vault servers and then retrieve credentials for you.

It's designed to ease the process of getting elevated login credentials for a variety of servers.

It currently supports MySQL servers and SSH Command line access

• Grab MySQL passwords for any vault enabled database
• Grab a one-time-use SSH user and password to get root access to servers
• Configuration file, so if you do the same command over and over, you don't need to remember a million flags

The tool currently assumes you have mounted your databases and hosts into vault under specific paths.

All mysql databases should be mounted under /mysql/<hostname> in vault for example. For more information, please see the docs

To use breakglass, simply download the binary. Run the command with no arguments to see the possible commands:

breakglass allows you to get login credentials for a variety of vault backends, such as databases servers, Linux servers (ssh credentials)
and AWS IAM roles

Usage:
  breakglass [command]

Available Commands:
  help        Help about any command
  mysql       Get temporary login credentials for mysql servers
  ssh         Get temporary SSH credentials for Linux serers

Flags:
      --config string      config file (default is $HOME/.breakglass/config.yaml)
      --debug              enable debug logging
      --vault string   vault host to authenticate against
      --port int      port of vault servers to use when authenticating (default 8200)

Use "breakglass [command] --help" for more information about a command.

For more help on the subcommands, run breakglass mysql help

breakglass will do its best to try and detect sane defaults for you. However, some options will need to be configured.

They are configurable by either flag (meaning you have to set them every time you run breakglass) or for ease of use you can use a config file.

Place the config file in $HOME/.breakglass/config.yaml

An example config file looks like this:

username: "lbriggs"
authmethod: "ldap"
vault: "consulserver-1.example.com"
debug: false

These options can be modified as follows:

This should be the username you use to authenticate to LDAP. If it's not set, breakglass will use the username you're currently logged in as

This is the method you use to authenticate against vault. Currently only LDAP and userpass are supported. LDAP is the default.

Specify the path to the vault server you wish to use.

$ breakglass mysql --host lbriggs-mysql.exampke.com --vault consulserver-2.example.com

However if you're finding yourself using the same vaulthost over and over again, you can set the vault host in the config file, and it will always use this host.

Debug will enable debug logging for troubleshooting purposes. Ops may ask you to run with the debug option if you're experiencing problems.

Assuming you've configured breakglass with the config options above, simply run breakglass and specify the MySQL Server you want access to:

$ breakglass --host lbriggs-mysql.example.com
Your MySQL Credentials are below
 username: read-ldap-f273c0
 password: <redacted>

You can then use these credentials to connect to the MySQL server you specified.

Assuming you've configured breakglass with the config options above, simple run breakglass and specify the SSH server you want access to:

Please enter your password:
Your SSH Credentials are:
 username: breakglass
 password: <redacted>

You can then use these credentials to connect to the Linux server you specified.

See the docs

Fork the repo in gitlab and send a merge request!

There are currently no tests, and the code is not very DRY.

This was Apptio's first exercise in Go, and pull requests are very welcome.