199 lines
54 KiB
HTML
199 lines
54 KiB
HTML
<html><head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
|
<title>101. Authentication methods</title><link rel="stylesheet" type="text/css" href="css/manual-multipage.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><link rel="home" href="multi_spring-cloud.html" title="Spring Cloud"><link rel="up" href="multi__spring_cloud_vault.html" title="Part XIV. Spring Cloud Vault"><link rel="prev" href="multi__client_side_usage_2.html" title="100. Client Side Usage"><link rel="next" href="multi_vault.config.backends.html" title="102. Secret Backends"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">101. Authentication methods</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="multi__client_side_usage_2.html">Prev</a> </td><th width="60%" align="center">Part XIV. Spring Cloud Vault</th><td width="20%" align="right"> <a accesskey="n" href="multi_vault.config.backends.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h2 class="title"><a name="vault.config.authentication" href="#vault.config.authentication"></a>101. Authentication methods</h2></div></div></div><p>Different organizations have different requirements for security
|
|
and authentication. Vault reflects that need by shipping multiple authentication
|
|
methods. Spring Cloud Vault supports token and AppId authentication.</p><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.authentication.token" href="#vault.config.authentication.token"></a>101.1 Token authentication</h2></div></div></div><p>Tokens are the core method for authentication within Vault.
|
|
Token authentication requires a static token to be provided using the
|
|
<a class="link" href="https://github.com/spring-cloud/spring-cloud-commons/blob/master/docs/src/main/asciidoc/spring-cloud-commons.adoc#the-bootstrap-application-context" target="_top">Bootstrap Application Context</a>.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>Token authentication is the default authentication method.
|
|
If a token is disclosed an unintended party gains access to Vault and
|
|
can access secrets for the intended client.</p></td></tr></table></div><div class="example"><a name="d0e30346" href="#d0e30346"></a><p class="title"><b>Example 101.1. bootstrap.yml</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: TOKEN
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> token</span>: <span class="hl-number">00000000</span>-<span class="hl-number">0000</span>-<span class="hl-number">0000</span>-<span class="hl-number">0000</span>-<span class="hl-number">000000000000</span></pre></div></div><br class="example-break"><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">authentication</code> setting this value to <code class="literal">TOKEN</code> selects the Token
|
|
authentication method</li><li class="listitem"><code class="literal">token</code> sets the static token to use</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/concepts/tokens.html" target="_top">Vault Documentation: Tokens</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.authentication.appid" href="#vault.config.authentication.appid"></a>101.2 AppId authentication</h2></div></div></div><p>Vault supports <a class="link" href="https://www.vaultproject.io/docs/auth/app-id.html" target="_top">AppId</a>
|
|
authentication that consists of two hard to guess tokens. The AppId
|
|
defaults to <code class="literal">spring.application.name</code> that is statically configured.
|
|
The second token is the UserId which is a part determined by the application,
|
|
usually related to the runtime environment. IP address, Mac address or a
|
|
Docker container name are good examples. Spring Cloud Vault Config supports
|
|
IP address, Mac address and static UserId’s (e.g. supplied via System properties).
|
|
The IP and Mac address are represented as Hex-encoded SHA256 hash.</p><p>IP address-based UserId’s use the local host’s IP address.</p><div class="example"><a name="d0e30382" href="#d0e30382"></a><p class="title"><b>Example 101.2. bootstrap.yml using SHA256 IP-Address UserId’s</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: APPID
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> app-id</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> user-id</span>: IP_ADDRESS</pre></div></div><br class="example-break"><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">authentication</code> setting this value to <code class="literal">APPID</code> selects the AppId
|
|
authentication method</li><li class="listitem"><code class="literal">app-id-path</code> sets the path of the AppId mount to use</li><li class="listitem"><code class="literal">user-id</code> sets the UserId method. Possible values are <code class="literal">IP_ADDRESS</code>,
|
|
<code class="literal">MAC_ADDRESS</code> or a class name implementing a custom <code class="literal">AppIdUserIdMechanism</code></li></ul></div><p>The corresponding command to generate the IP address UserId from a command line is:</p><pre class="screen">$ echo -n 192.168.99.1 | sha256sum</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>Including the line break of <code class="literal">echo</code> leads to a different hash value
|
|
so make sure to include the <code class="literal">-n</code> flag.</p></td></tr></table></div><p>Mac address-based UserId’s obtain their network device from the
|
|
localhost-bound device. The configuration also allows specifying
|
|
a <code class="literal">network-interface</code> hint to pick the right device. The value of
|
|
<code class="literal">network-interface</code> is optional and can be either an interface
|
|
name or interface index (0-based).</p><div class="example"><a name="d0e30435" href="#d0e30435"></a><p class="title"><b>Example 101.3. bootstrap.yml using SHA256 Mac-Address UserId’s</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: APPID
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> app-id</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> user-id</span>: MAC_ADDRESS
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> network-interface</span>: eth0</pre></div></div><br class="example-break"><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">network-interface</code> sets network interface to obtain the physical address</li></ul></div><p>The corresponding command to generate the IP address UserId from a command line is:</p><pre class="screen">$ echo -n 0AFEDE1234AC | sha256sum</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The Mac address is specified uppercase and without colons.
|
|
Including the line break of <code class="literal">echo</code> leads to a different hash value
|
|
so make sure to include the <code class="literal">-n</code> flag.</p></td></tr></table></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_custom_userid" href="#_custom_userid"></a>101.2.1 Custom UserId</h3></div></div></div><p>The UserId generation is an open mechanism. You can set
|
|
<code class="literal">spring.cloud.vault.app-id.user-id</code> to any string and the configured
|
|
value will be used as static UserId.</p><p>A more advanced approach lets you set <code class="literal">spring.cloud.vault.app-id.user-id</code> to a
|
|
classname. This class must be on your classpath and must implement
|
|
the <code class="literal">org.springframework.cloud.vault.AppIdUserIdMechanism</code> interface
|
|
and the <code class="literal">createUserId</code> method. Spring Cloud Vault will obtain the UserId
|
|
by calling <code class="literal">createUserId</code> each time it authenticates using AppId to
|
|
obtain a token.</p><div class="example"><a name="d0e30481" href="#d0e30481"></a><p class="title"><b>Example 101.4. bootstrap.yml</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: APPID
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> app-id</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> user-id</span>: com.examlple.MyUserIdMechanism</pre></div></div><br class="example-break"><div class="example"><a name="d0e30486" href="#d0e30486"></a><p class="title"><b>Example 101.5. MyUserIdMechanism.java</b></p><div class="example-contents"><pre class="programlisting">public class MyUserIdMechanism implements AppIdUserIdMechanism <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">{</span>
|
|
|
|
<em><span class="hl-annotation" style="color: gray">@Override</span></em>
|
|
public String createUserId() <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">{</span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> String userId </span>= ...
|
|
return userId;
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">}</span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">}</span></pre></div></div><br class="example-break"><p>See also: <a class="link" href="https://www.vaultproject.io/docs/auth/app-id.html" target="_top">Vault Documentation: Using the App ID auth backend</a></p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="_approle_authentication" href="#_approle_authentication"></a>101.3 AppRole authentication</h2></div></div></div><p><a class="link" href="https://www.vaultproject.io/docs/auth/app-id.html" target="_top">AppRole</a> is intended for machine
|
|
authentication, like the deprecated (since Vault 0.6.1) <a class="xref" href="multi_vault.config.authentication.html#vault.config.authentication.appid" title="101.2 AppId authentication">Section 101.2, “AppId authentication”</a>.
|
|
AppRole authentication consists of two hard to guess (secret) tokens: RoleId and SecretId.</p><p>Spring Vault supports various AppRole scenarios (push/pull mode and wrapped).</p><p>RoleId and optionally SecretId must be provided by configuration,
|
|
Spring Vault will not look up these or create a custom SecretId.</p><div class="example"><a name="d0e30508" href="#d0e30508"></a><p class="title"><b>Example 101.6. bootstrap.yml with AppRole authentication properties</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: APPROLE
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> app-role</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role-id</span>: bde2076b-cccb-<span class="hl-number">3</span>cf0-d57e-bca7b1e83a52</pre></div></div><br class="example-break"><p>The following scenarios are supported along the required configuration details:</p><div class="table"><a name="d0e30515" href="#d0e30515"></a><p class="title"><b>Table 101.1. Configuration</b></p><div class="table-contents"><table class="table" summary="Configuration" style="border-collapse: collapse;border-top: 1px solid ; border-bottom: 1px solid ; "><colgroup><col class="col_1"><col class="col_2"><col class="col_3"><col class="col_4"><col class="col_5"></colgroup><tbody><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p><span class="strong"><strong>Method</strong></span></p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p><span class="strong"><strong>RoleId</strong></span></p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p><span class="strong"><strong>SecretId</strong></span></p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p><span class="strong"><strong>RoleName</strong></span></p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p><span class="strong"><strong>Token</strong></span></p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided RoleId/SecretId</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"> </td><td style="border-bottom: 1px solid ; " align="left" valign="top"> </td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided RoleId without SecretId</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"> </td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"> </td><td style="border-bottom: 1px solid ; " align="left" valign="top"> </td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided RoleId, Pull SecretId</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Pull RoleId, provided SecretId</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"> </td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Full Pull Mode</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"> </td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"> </td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Wrapped</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"> </td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"> </td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"> </td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Wrapped RoleId, provided SecretId</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"> </td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"> </td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td></tr><tr><td style="border-right: 1px solid ; " align="left" valign="top"><p>Provided RoleId, wrapped SecretId</p></td><td style="border-right: 1px solid ; " align="left" valign="top"> </td><td style="border-right: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-right: 1px solid ; " align="left" valign="top"> </td><td style="" align="left" valign="top"><p>Provided</p></td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="d0e30644" href="#d0e30644"></a><p class="title"><b>Table 101.2. Pull/Push/Wrapped Matrix</b></p><div class="table-contents"><table class="table" summary="Pull/Push/Wrapped Matrix" style="border-collapse: collapse;border-top: 1px solid ; border-bottom: 1px solid ; "><colgroup><col class="col_1"><col class="col_2"><col class="col_3"></colgroup><tbody><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p><span class="strong"><strong>RoleId</strong></span></p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p><span class="strong"><strong>SecretId</strong></span></p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p><span class="strong"><strong>Supported</strong></span></p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>✅</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Pull</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>✅</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Wrapped</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>✅</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Absent</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>✅</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Pull</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>✅</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Pull</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Pull</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>✅</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Pull</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Wrapped</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>❌</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Pull</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Absent</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>❌</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Wrapped</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Provided</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>✅</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Wrapped</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Pull</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>❌</p></td></tr><tr><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Wrapped</p></td><td style="border-right: 1px solid ; border-bottom: 1px solid ; " align="left" valign="top"><p>Wrapped</p></td><td style="border-bottom: 1px solid ; " align="left" valign="top"><p>✅</p></td></tr><tr><td style="border-right: 1px solid ; " align="left" valign="top"><p>Wrapped</p></td><td style="border-right: 1px solid ; " align="left" valign="top"><p>Absent</p></td><td style="" align="left" valign="top"><p>❌</p></td></tr></tbody></table></div></div><br class="table-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>You can use still all combinations of push/pull/wrapped modes by providing a configured <code class="literal">AppRoleAuthentication</code> bean within the bootstrap context. Spring Cloud Vault cannot derive all possible AppRole combinations from the configuration properties.</p></td></tr></table></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Important"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Important]" src="images/important.png"></td><th align="left">Important</th></tr><tr><td align="left" valign="top"><p>AppRole authentication is limited to simple pull mode using reactive infrastructure. Full pull mode is not yet supported. Using Spring Cloud Vault with the Spring WebFlux stack enables Vault’s reactive auto-configuration which can be disabled by setting <code class="literal">spring.cloud.vault.reactive.enabled=false</code>.</p></td></tr></table></div><div class="example"><a name="d0e30797" href="#d0e30797"></a><p class="title"><b>Example 101.7. bootstrap.yml with all AppRole authentication properties</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: APPROLE
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> app-role</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role-id</span>: bde2076b-cccb-<span class="hl-number">3</span>cf0-d57e-bca7b1e83a52
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> secret-id</span>: <span class="hl-number">1696536f</span>-<span class="hl-number">1976</span>-<span class="hl-number">73</span>b1-b241-<span class="hl-number">0</span>b4213908d39
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: my-role
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> app-role-path</span>: approle</pre></div></div><br class="example-break"><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">role-id</code> sets the RoleId.</li><li class="listitem"><code class="literal">secret-id</code> sets the SecretId. SecretId can be omitted if AppRole is configured without requiring SecretId (See <code class="literal">bind_secret_id</code>).</li><li class="listitem"><code class="literal">role</code>: sets the AppRole name for pull mode.</li><li class="listitem"><code class="literal">app-role-path</code> sets the path of the approle authentication mount to use.</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/auth/approle.html" target="_top">Vault Documentation: Using the AppRole auth backend</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.authentication.awsec2" href="#vault.config.authentication.awsec2"></a>101.4 AWS-EC2 authentication</h2></div></div></div><p>The <a class="link" href="https://www.vaultproject.io/docs/auth/aws-ec2.html" target="_top">aws-ec2</a>
|
|
auth backend provides a secure introduction mechanism
|
|
for AWS EC2 instances, allowing automated retrieval of a Vault
|
|
token. Unlike most Vault authentication backends, this backend
|
|
does not require first-deploying, or provisioning security-sensitive
|
|
credentials (tokens, username/password, client certificates, etc.).
|
|
Instead, it treats AWS as a Trusted Third Party and uses the
|
|
cryptographically signed dynamic metadata information that uniquely
|
|
represents each EC2 instance.</p><div class="example"><a name="d0e30838" href="#d0e30838"></a><p class="title"><b>Example 101.8. bootstrap.yml using AWS-EC2 Authentication</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: AWS_EC2</pre></div></div><br class="example-break"><p>AWS-EC2 authentication enables nonce by default to follow
|
|
the Trust On First Use (TOFU) principle. Any unintended party that
|
|
gains access to the PKCS#7 identity metadata can authenticate
|
|
against Vault.</p><p>During the first login, Spring Cloud Vault generates a nonce
|
|
that is stored in the auth backend aside the instance Id.
|
|
Re-authentication requires the same nonce to be sent. Any other
|
|
party does not have the nonce and can raise an alert in Vault for
|
|
further investigation.</p><p>The nonce is kept in memory and is lost during application restart.
|
|
You can configure a static nonce with <code class="literal">spring.cloud.vault.aws-ec2.nonce</code>.</p><p>AWS-EC2 authentication roles are optional and default to the AMI.
|
|
You can configure the authentication role by setting the
|
|
<code class="literal">spring.cloud.vault.aws-ec2.role</code> property.</p><div class="example"><a name="d0e30857" href="#d0e30857"></a><p class="title"><b>Example 101.9. bootstrap.yml with configured role</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: AWS_EC2
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> aws-ec2</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: application-server</pre></div></div><br class="example-break"><div class="example"><a name="d0e30862" href="#d0e30862"></a><p class="title"><b>Example 101.10. bootstrap.yml with all AWS EC2 authentication properties</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: AWS_EC2
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> aws-ec2</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: application-server
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> aws-ec2-path</span>: aws-ec2
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> identity-document</span>: http://...
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> nonce</span>: my-static-nonce</pre></div></div><br class="example-break"><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">authentication</code> setting this value to <code class="literal">AWS_EC2</code> selects the AWS EC2
|
|
authentication method</li><li class="listitem"><code class="literal">role</code> sets the name of the role against which the login is being attempted.</li><li class="listitem"><code class="literal">aws-ec2-path</code> sets the path of the AWS EC2 mount to use</li><li class="listitem"><code class="literal">identity-document</code> sets URL of the PKCS#7 AWS EC2 identity document</li><li class="listitem"><code class="literal">nonce</code> used for AWS-EC2 authentication. An empty nonce defaults to nonce generation</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/auth/aws.html" target="_top">Vault Documentation: Using the aws auth backend</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.authentication.awsiam" href="#vault.config.authentication.awsiam"></a>101.5 AWS-IAM authentication</h2></div></div></div><p>The <a class="link" href="https://www.vaultproject.io/docs/auth/aws-ec2.html" target="_top">aws</a> backend provides a secure
|
|
authentication mechanism for AWS IAM roles, allowing the automatic authentication with
|
|
vault based on the current IAM role of the running application.
|
|
Unlike most Vault authentication backends, this backend
|
|
does not require first-deploying, or provisioning security-sensitive
|
|
credentials (tokens, username/password, client certificates, etc.).
|
|
Instead, it treats AWS as a Trusted Third Party and uses the
|
|
4 pieces of information signed by the caller with their IAM credentials
|
|
to verify that the caller is indeed using that IAM role.</p><p>The current IAM role the application is running in is automatically calculated.
|
|
If you are running your application on AWS ECS then the application
|
|
will use the IAM role assigned to the ECS task of the running container.
|
|
If you are running your application naked on top of an EC2 instance then
|
|
the IAM role used will be the one assigned to the EC2 instance.</p><p>When using the AWS-IAM authentication you must create a role in Vault
|
|
and assign it to your IAM role. An empty <code class="literal">role</code> defaults to
|
|
the friendly name the current IAM role.</p><div class="example"><a name="d0e30915" href="#d0e30915"></a><p class="title"><b>Example 101.11. bootstrap.yml with required AWS-IAM Authentication properties</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: AWS_IAM</pre></div></div><br class="example-break"><div class="example"><a name="d0e30920" href="#d0e30920"></a><p class="title"><b>Example 101.12. bootstrap.yml with all AWS-IAM Authentication properties</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: AWS_IAM
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> aws-iam</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: my-dev-role
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> aws-path</span>: aws
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> server-id</span>: some.server.name</pre></div></div><br class="example-break"><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">role</code> sets the name of the role against which the login is being attempted. This should be bound to your IAM role. If one is not supplied then the friendly name of the current IAM user will be used as the vault role.</li><li class="listitem"><code class="literal">aws-path</code> sets the path of the AWS mount to use</li><li class="listitem"><code class="literal">server-id</code> sets the value to use for the <code class="literal">X-Vault-AWS-IAM-Server-ID</code> header preventing certain types of replay attacks.</li></ul></div><p>AWS-IAM requires the AWS Java SDK dependency (<code class="literal">com.amazonaws:aws-java-sdk-core</code>)
|
|
as the authentication implementation uses AWS SDK types for credentials and request signing.</p><p>See also: <a class="link" href="https://www.vaultproject.io/docs/auth/aws.html" target="_top">Vault Documentation: Using the aws auth backend</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.authentication.azuremsi" href="#vault.config.authentication.azuremsi"></a>101.6 Azure MSI authentication</h2></div></div></div><p>The <a class="link" href="https://www.vaultproject.io/docs/auth/azure.html" target="_top">azure</a>
|
|
auth backend provides a secure introduction mechanism
|
|
for Azure VM instances, allowing automated retrieval of a Vault
|
|
token. Unlike most Vault authentication backends, this backend
|
|
does not require first-deploying, or provisioning security-sensitive
|
|
credentials (tokens, username/password, client certificates, etc.).
|
|
Instead, it treats Azure as a Trusted Third Party and uses the
|
|
managed service identity and instance metadata information that can be
|
|
bound to a VM instance.</p><div class="example"><a name="d0e30961" href="#d0e30961"></a><p class="title"><b>Example 101.13. bootstrap.yml with required Azure Authentication properties</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: AZURE_MSI
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> azure-msi</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: my-dev-role</pre></div></div><br class="example-break"><div class="example"><a name="d0e30966" href="#d0e30966"></a><p class="title"><b>Example 101.14. bootstrap.yml with all Azure Authentication properties</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: AZURE_MSI
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> azure-msi</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: my-dev-role
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> azure-path</span>: aws</pre></div></div><br class="example-break"><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">role</code> sets the name of the role against which the login is being attempted.</li><li class="listitem"><code class="literal">azure-path</code> sets the path of the Azure mount to use</li></ul></div><p>Azure MSI authentication fetches environmental details about the virtual machine
|
|
(subscription Id, resource group, VM name) from the instance metadata service.</p><p>See also: <a class="link" href="https://www.vaultproject.io/docs/auth/azure.html" target="_top">Vault Documentation: Using the azure auth backend</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.authentication.clientcert" href="#vault.config.authentication.clientcert"></a>101.7 TLS certificate authentication</h2></div></div></div><p>The <code class="literal">cert</code> auth backend allows authentication using SSL/TLS client
|
|
certificates that are either signed by a CA or self-signed.</p><p>To enable <code class="literal">cert</code> authentication you need to:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Use SSL, see <a class="xref" href="multi_vault.config.ssl.html" title="107. Vault Client SSL configuration">Chapter 107, <i>Vault Client SSL configuration</i></a></li><li class="listitem">Configure a Java <code class="literal">Keystore</code> that contains the client
|
|
certificate and the private key</li><li class="listitem">Set the <code class="literal">spring.cloud.vault.authentication</code> to <code class="literal">CERT</code></li></ol></div><div class="example"><a name="d0e31020" href="#d0e31020"></a><p class="title"><b>Example 101.15. bootstrap.yml</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: CERT
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> ssl</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> key-store</span>: classpath:keystore.jks
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> key-store-password</span>: changeit
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> cert-auth-path</span>: cert</pre></div></div><br class="example-break"><p>See also: <a class="link" href="https://www.vaultproject.io/docs/auth/cert.html" target="_top">Vault Documentation: Using the Cert auth backend</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.authentication.cubbyhole" href="#vault.config.authentication.cubbyhole"></a>101.8 Cubbyhole authentication</h2></div></div></div><p>Cubbyhole authentication uses Vault primitives to provide a secured authentication
|
|
workflow. Cubbyhole authentication uses tokens as primary login method.
|
|
An ephemeral token is used to obtain a second, login VaultToken from Vault’s
|
|
Cubbyhole secret backend. The login token is usually longer-lived and used to
|
|
interact with Vault. The login token will be retrieved from a wrapped
|
|
response stored at <code class="literal">/cubbyhole/response</code>.</p><p><span class="strong"><strong>Creating a wrapped token</strong></span></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>Response Wrapping for token creation requires Vault 0.6.0 or higher.</p></td></tr></table></div><div class="example"><a name="d0e31043" href="#d0e31043"></a><p class="title"><b>Example 101.16. Creating and storing tokens</b></p><div class="example-contents"><pre class="programlisting">$ vault token-create -wrap-ttl="10m"
|
|
Key Value
|
|
--- -----
|
|
wrapping_token: 397ccb93-ff6c-b17b-9389-380b01ca2645
|
|
wrapping_token_ttl: 0h10m0s
|
|
wrapping_token_creation_time: 2016-09-18 20:29:48.652957077 +0200 CEST
|
|
wrapped_accessor: 46b6aebb-187f-932a-26d7-4f3d86a68319</pre></div></div><br class="example-break"><div class="example"><a name="d0e31048" href="#d0e31048"></a><p class="title"><b>Example 101.17. bootstrap.yml</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: CUBBYHOLE
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> token</span>: <span class="hl-number">397</span>ccb93-ff6c-b17b-<span class="hl-number">9389</span>-<span class="hl-number">380</span>b01ca2645</pre></div></div><br class="example-break"><p>See also:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><a class="link" href="https://www.vaultproject.io/docs/concepts/tokens.html" target="_top">Vault Documentation: Tokens</a></li><li class="listitem"><a class="link" href="https://www.vaultproject.io/docs/secrets/cubbyhole/index.html" target="_top">Vault Documentation: Cubbyhole Secret Backend</a></li><li class="listitem"><a class="link" href="https://www.vaultproject.io/docs/concepts/response-wrapping.html" target="_top">Vault Documentation: Response Wrapping</a></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.authentication.gcpgce" href="#vault.config.authentication.gcpgce"></a>101.9 GCP-GCE authentication</h2></div></div></div><p>The <a class="link" href="https://www.vaultproject.io/docs/auth/gcp.html" target="_top">gcp</a>
|
|
auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.</p><p>GCP GCE (Google Compute Engine) authentication creates a signature in the form of a
|
|
JSON Web Token (JWT) for a service account. A JWT for a Compute Engine instance
|
|
is obtained from the GCE metadata service using <a class="link" href="https://cloud.google.com/compute/docs/instances/verifying-instance-identity" target="_top">Instance identification</a>.
|
|
This API creates a JSON Web Token that can be used to confirm the instance identity.</p><p>Unlike most Vault authentication backends, this backend
|
|
does not require first-deploying, or provisioning security-sensitive
|
|
credentials (tokens, username/password, client certificates, etc.).
|
|
Instead, it treats GCP as a Trusted Third Party and uses the
|
|
cryptographically signed dynamic metadata information that uniquely
|
|
represents each GCP service account.</p><div class="example"><a name="d0e31083" href="#d0e31083"></a><p class="title"><b>Example 101.18. bootstrap.yml with required GCP-GCE Authentication properties</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: GCP_GCE
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> gcp-gce</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: my-dev-role</pre></div></div><br class="example-break"><div class="example"><a name="d0e31088" href="#d0e31088"></a><p class="title"><b>Example 101.19. bootstrap.yml with all GCP-GCE Authentication properties</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: GCP_GCE
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> gcp-gce</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> gcp-path</span>: gcp
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: my-dev-role
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> service-account</span>: my-service@projectid.iam.gserviceaccount.com</pre></div></div><br class="example-break"><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">role</code> sets the name of the role against which the login is being attempted.</li><li class="listitem"><code class="literal">gcp-path</code> sets the path of the GCP mount to use</li><li class="listitem"><code class="literal">service-account</code> allows overriding the service account Id to a specific value. Defaults to the <code class="literal">default</code> service account.</li></ul></div><p>See also:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><a class="link" href="https://www.vaultproject.io/docs/auth/gcp.html" target="_top">Vault Documentation: Using the GCP auth backend</a></li><li class="listitem"><a class="link" href="https://cloud.google.com/compute/docs/instances/verifying-instance-identity" target="_top">GCP Documentation: Verifying the Identity of Instances</a></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.authentication.gcpiam" href="#vault.config.authentication.gcpiam"></a>101.10 GCP-IAM authentication</h2></div></div></div><p>The <a class="link" href="https://www.vaultproject.io/docs/auth/gcp.html" target="_top">gcp</a>
|
|
auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.</p><p>GCP IAM authentication creates a signature in the form of a JSON Web Token (JWT)
|
|
for a service account. A JWT for a service account is obtained by
|
|
calling GCP IAM’s <a class="link" href="https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signJwt" target="_top"><code class="literal">projects.serviceAccounts.signJwt</code></a> API. The caller authenticates against GCP IAM
|
|
and proves thereby its identity. This Vault backend treats GCP as a Trusted Third Party.</p><p>IAM credentials can be obtained from either the runtime environment
|
|
, specifically the <a class="link" href="https://cloud.google.com/docs/authentication/production" target="_top"><code class="literal">GOOGLE_APPLICATION_CREDENTIALS</code></a>
|
|
environment variable, the Google Compute metadata service,
|
|
or supplied externally as e.g. JSON or base64 encoded.
|
|
JSON is the preferred form as it carries the project id and
|
|
service account identifier required for calling <code class="literal">projects.serviceAccounts.signJwt</code>.</p><div class="example"><a name="d0e31146" href="#d0e31146"></a><p class="title"><b>Example 101.20. bootstrap.yml with required GCP-IAM Authentication properties</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: GCP_IAM
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> gcp-iam</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: my-dev-role</pre></div></div><br class="example-break"><div class="example"><a name="d0e31151" href="#d0e31151"></a><p class="title"><b>Example 101.21. bootstrap.yml with all GCP-IAM Authentication properties</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: GCP_IAM
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> gcp-iam</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> credentials</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> location</span>: classpath:credentials.json
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> encoded-key</span>: e+KApn0=
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> gcp-path</span>: gcp
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> jwt-validity</span>: <span class="hl-number">15</span>m
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> project-id</span>: my-project-id
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: my-dev-role
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> service-account</span>: my-service@projectid.iam.gserviceaccount.com</pre></div></div><br class="example-break"><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">role</code> sets the name of the role against which the login is being attempted.</li><li class="listitem"><code class="literal">credentials.location</code> path to the credentials resource that contains Google credentials in JSON format.</li><li class="listitem"><code class="literal">credentials.encoded-key</code> the base64 encoded contents of an OAuth2 account private key in the JSON format.</li><li class="listitem"><code class="literal">gcp-path</code> sets the path of the GCP mount to use</li><li class="listitem"><code class="literal">jwt-validity</code> configures the JWT token validity. Defaults to 15 minutes.</li><li class="listitem"><code class="literal">project-id</code> allows overriding the project Id to a specific value. Defaults to the project Id from the obtained credential.</li><li class="listitem"><code class="literal">service-account</code> allows overriding the service account Id to a specific value. Defaults to the service account from the obtained credential.</li></ul></div><p>GCP IAM authentication requires the Google Cloud Java SDK dependency
|
|
(<code class="literal">com.google.apis:google-api-services-iam</code> and <code class="literal">com.google.auth:google-auth-library-oauth2-http</code>)
|
|
as the authentication implementation uses Google APIs for credentials and JWT signing.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>Google credentials require an OAuth 2 token maintaining the token lifecycle. All API
|
|
is synchronous therefore, <code class="literal">GcpIamAuthentication</code> does not support <code class="literal">AuthenticationSteps</code> which is
|
|
required for reactive usage.</p></td></tr></table></div><p>See also:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><a class="link" href="https://www.vaultproject.io/docs/auth/gcp.html" target="_top">Vault Documentation: Using the GCP auth backend</a></li><li class="listitem"><a class="link" href="https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signJwt" target="_top">GCP Documentation: projects.serviceAccounts.signJwt</a><a name="vault.authentication.gcpiam" href="#vault.authentication.gcpiam"></a></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.authentication.kubernetes" href="#vault.config.authentication.kubernetes"></a>101.11 Kubernetes authentication</h2></div></div></div><p>Kubernetes authentication mechanism (since Vault 0.8.3) allows to authenticate with Vault using a Kubernetes Service Account Token.
|
|
The authentication is role based and the role is bound to a service account name and a namespace.</p><p>A file containing a JWT token for a pod’s service account is automatically mounted at <code class="literal">/var/run/secrets/kubernetes.io/serviceaccount/token</code>.</p><div class="example"><a name="d0e31231" href="#d0e31231"></a><p class="title"><b>Example 101.22. bootstrap.yml with all Kubernetes authentication properties</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> authentication</span>: KUBERNETES
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> kubernetes</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: my-dev-role
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> kubernetes-path</span>: kubernetes
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> service-account-token-file</span>: /var/run/secrets/kubernetes.io/serviceaccount/token</pre></div></div><br class="example-break"><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">role</code> sets the Role.</li><li class="listitem"><code class="literal">kubernetes-path</code> sets the path of the Kubernetes mount to use.</li><li class="listitem"><code class="literal">service-account-token-file</code> sets the location of the file containing the Kubernetes Service Account Token. Defaults to <code class="literal">/var/run/secrets/kubernetes.io/serviceaccount/token</code>.</li></ul></div><p>See also:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><a class="link" href="https://www.vaultproject.io/docs/auth/kubernetes.html" target="_top">Vault Documentation: Kubernetes</a></li><li class="listitem"><a class="link" href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" target="_top">Kubernetes Documentation: Configure Service Accounts for Pods</a></li></ul></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="multi__client_side_usage_2.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="multi__spring_cloud_vault.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="multi_vault.config.backends.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">100. Client Side Usage </td><td width="20%" align="center"><a accesskey="h" href="multi_spring-cloud.html">Home</a></td><td width="40%" align="right" valign="top"> 102. Secret Backends</td></tr></table></div></body></html> |