Securing your API authentication keys with Vault
What is Vault?
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.
Requirements
-
Download and Install Vault
-
Download and Install postman
-
Import the Postman collection and environment variable from project folder
Postman Collection⚠️ Testsare written part of the collection to auto-update your Postman environment variables.
Getting Started
Step 1: Start Vault
Once Vault is Installed, you first need to start it up. There are two options:
Option #1: Start it up in dev mode by supplying the following cmd in Terminal
vault server -devUNSEAL key and ROOT TOKEN that's provided.
Option #2: Start it up with a pre-existing config. by supplying the following cmd in Terminal
vault server -config config.hcl config.hcl this is what vault look for on startup. Here what it looks like:
{
"listener": [{
"tcp": {
"address" : "0.0.0.0:8200",
"tls_disable" : 1
}
}],
"api_addr": "http://0.0.0.0:8200",
"storage": {
"file": {
"path" : "vault/data"
}
},
"max_lease_ttl": "10h",
"default_lease_ttl": "10h",
"ui":true
}address is the vault server address, that's the same address we will use to access the UI in a browser.
storage.file.path is the location where vault is going to create a file system for storage. Set to vault/data change value as you see fit.
ui:true enables vault's UI interface.
Step 2: Initialize and Configure Vault
Locate the provided Postman Collection folder, import the Vault.postman_collection & Vault-Env.postman_environment into Postman and env variable and start initializing vault using its APIs.
Assuming you chose to run vault using Option #2 you will need to Initialize vault only once on initial run.
In Postman in the Vault Collection, execute the following request:
init vaultthis will provide you with theUNSEAL KeyandRoot Token. Save these values.unseal vaultthis will do what it says, unseal the vault before you can start accessing your secrets.enable KV secret engineThe KV secret engine is used to store arbitrary secrets within the configured physical storage. In this case we are creating a newmountnamedkv-v1. Think of this as your path to secrets.
At this point you have everything you need to start storing API keys, Authentication, and Tokens within your Vault instance.
Step 3: Register Application
We don't want to give our application Root access, we want to register an AppRole to authenticate our app against our instance of Vault.
In the provided Postman Collection:
Add AppRolethis will setup a new AppRole authentication method within Vault.Add ACL PolicyVault is driven by policies to govern role based access. In this case we are creating a policy to give access to KV secret engine mount we created previouslykv-v1.
This is what the ACL Policy my-policy looks like:
# Dev servers have version 1 of KV secrets engine mounted by default, so will
# need these paths to grant permissions:
path "kv-v1/devnet/dnac/*" {
capabilities = ["create", "update","read"]
}3.Bind policy to role this will do what is says. It will bind my-policy to AppRole we've created and call it my-role
Step 4: Generate App Token
To generate a new CLIENT TOKEN we will first need to Fetch our Role ID and generate a new Secret ID based on the role.
In the provided Postman Collection:
Get Role IDfetchesmy-roleID created above.Create Secret IDusing themy-roleID you will generate a newSecret IDFetch Client Tokenthis will generate aclient_tokenfor us to use to Create, Read, and Update Secrets in the mount our ACL granted permission to in this casekv-v1/devnet/dnac/*Use this in you application to authenticate, Capture It!
Step 5: Create Secret
Now that we have all the pieces of the puzzle in place (step 1-4 we only need to configure once) we can now start storing secrets to be utilized by our application.
Post KV Secretusing theclient_token, we will create a new secret. In this case we are using Cisco DNA Center Sandbox and writing the secret to the mount pathkv-v1/devnet/dnac/sb1, with POST http://{{vault}}/v1/kv-v1/devnet/dnac/sb1 in Postman.
mount paths from the POST endpoint above in order to access your secrets.
Automation in code
- Access Vault using
HVAClibrary, and fetch the secret. - Authenticate against Cisco DNA Center Always On Sandbox.
- Pull a list of managed Devices.
Prerequisites
python3 -m venv venvsource venv/bin/activatepip3 install -r requirements.txtUNSEAL KEY and CLIENT TOKEN into an environment variable
Terminal:
export CLIENT_TOKEN=<PLACE_YOUR_CLIENT_TOKEN_HERE>
export UNSEAL_KEY=<PLACE_YOUR_UNSEAL_KEY_HERE>import hvac
import os
from dnacentersdk import DNACenterAPI
# Instantiate new Vault CLIENT
client = hvac.Client()
print(os.environ)
# Capture UNSEAL key we set in Env. Variable
vault_unseal_key = os.environ['UNSEAL_KEY']
print(vault_unseal_key)
# Capture the CLIENT TOKEN we set in Env. Variable
vault_client_token = os.environ['CLIENT_TOKEN']
print(vault_client_token)
# Define your MOUNT POINT and PATH where your secrets are saved
vault_mount_point = 'kv-v1'
vault_path = '/devnet/dnac/sb1'SUCCESS
You have now integrated your application with a centralized vault that holds some, if not all your API Credentials and Tokens in a secure fashion. Imagine automating a multi-domain environment where you have different API calls to different endpoints, juggling Auth Token can be tedious and time consuming. Vault makes your life simple! Cool!
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent