Add AWS auth and secret docs

Add docs to README explaining how to enable and use aws auth and aws client secrets.
2022-01-10 16:54:01 -05:00
parent ac1d3c16df
commit 625474bed4
12 changed files with 424 additions and 24 deletions
--- a/README.md
+++ b/README.md
@@ -165,6 +165,7 @@ vault policy write ducoterra policies/ducoterra.hcl

 ```bash
 vault auth enable userpass
+vault auth tune -default-lease-ttl=24h userpass
 vault write auth/userpass/users/ducoterra \
    policies=ducoterra \
    password='<password>'
@@ -343,7 +344,7 @@ export ROOT_PATH=dnet
 export PKI_PATH=dnet_inter

 vault secrets enable -path=$PKI_PATH pki
-vault secrets tune -max-lease-ttl=8760h $PKI_PATH
+vault secrets tune -max-lease-ttl=9900h $PKI_PATH

 # Create CSR to sign with root CA
 vault write -format=json $PKI_PATH/intermediate/generate/internal \
@@ -352,7 +353,7 @@ vault write -format=json $PKI_PATH/intermediate/generate/internal \

 # Sign the CSR with the root CA
 vault write -format=json $ROOT_PATH/root/sign-intermediate \
-    csr=@certs/$PKI_PATH.csr format=pem_bundle ttl=8760h \
+    csr=@certs/$PKI_PATH.csr format=pem_bundle ttl=9900h \
    | jq -r '.data.certificate' > certs/$PKI_PATH.cert.pem

 # Save the signed cert to vault
@@ -385,18 +386,18 @@ vault write $PKI_PATH/roles/pi_hole \
 ### Issue a certificate

 ```bash
-export PKI_PATH=dnet_inter
+export PKI_PATH=dnet # or dnet_inter
 export CNAME=freenas.dnet

 # Use -format=json to dump a json file
 vault write $PKI_PATH/issue/dnet \
    common_name=$CNAME \
-    max_ttl=8760h > certs/$CNAME.cert
+    ttl=8760h > certs/$CNAME.cert

 # Pihole Example
 vault write $PKI_PATH/issue/pi_hole \
    common_name=$CNAME \
-    max_ttl=8760h > certs/$CNAME.cert
+    ttl=8760h > certs/$CNAME.cert
 ```

 #### Adding cert to freenas
@@ -407,19 +408,80 @@ Only caveat here is to paste the certificate and then the full chain cert below
 #### Adding cert to pihole

 ```bash
+# Install lighttpd-mod-openssl
+apt install -y lighttpd-mod-openssl
+
 # Paste the isser CA in here:
 vim /etc/ssl/certs/vault-ca.pem
+chown www-data /etc/ssl/certs/vault-ca.pem
+chmod 770 /etc/ssl/certs/vault-ca.pem

-# Paste the certificate and private key in here:
+# Paste the private key first, then the certificate in here:
 vim /etc/ssl/certs/pihole.pem
+chown www-data /etc/ssl/certs/pihole.pem
+chmod 770 /etc/ssl/certs/pihole.pem

-# Make sure lighttpd is configured correctly
+# Add the config below to /etc/lighttpd/external.conf
 vim /etc/lighttpd/external.conf
+```

+```conf
+$HTTP["host"] == "pi.hole" {
+  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
+  setenv.add-environment = ("fqdn" => "true")
+
+  # Enable the SSL engine with a LE cert, only for this specific host
+  $SERVER["socket"] == ":443" {
+    ssl.engine = "enable"
+    ssl.pemfile = "/etc/ssl/certs/pihole.pem"
+    ssl.ca-file =  "/etc/ssl/certs/vault-ca.pem"
+    ssl.honor-cipher-order = "enable"
+    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
+    ssl.use-sslv2 = "disable"
+    ssl.use-sslv3 = "disable"       
+  }
+
+  # Redirect HTTP to HTTPS
+  $HTTP["scheme"] == "http" {
+    $HTTP["host"] =~ ".*" {
+      url.redirect = (".*" => "https://%0$0")
+    }
+  }
+}
+```
+
+```bash
 # Restart the service
 service lighttpd restart
 ```

+#### Adding cert to vault
+
+```bash
+# Paste the primary cert and then the issuer CA in here:
+vim /etc/ssl/certs/vault-cert.pem
+chown vault:vault /etc/ssl/certs/vault-cert.pem
+chmod 770 /etc/ssl/certs/vault-cert.pem
+
+# Paste the private key in here:
+vim /etc/ssl/certs/vault-key.pem
+chown vault:vault /etc/ssl/certs/vault-key.pem
+chmod 770 /etc/ssl/certs/vault-key.pem
+```
+
+Edit /etc/vault.d/vault.hcl and add the following:
+
+```hcl
+listener "tcp" {
+  address       = "0.0.0.0:8200"
+  tls_disable   = 0
+  tls_cert_file = "/etc/ssl/certs/vault-cert.pem"
+  tls_key_file  = "/etc/ssl/certs/vault-key.pem"
+}
+```
+
+Run `service vault restart`
+
 #### Adding cert to cloudkey

 **THIS DOESN'T WORK**
@@ -618,6 +680,9 @@ EOF
 ### Enable transit on vault that will do the unsealing

 ```bash
+# Up the token ttl to 10 years (defaults to 32 days)
+vault write sys/auth/token/tune max_lease_ttl=87600h
+
 vault secrets enable transit
 vault write -f transit/keys/autounseal

@@ -632,11 +697,12 @@ path "transit/decrypt/autounseal" {
 EOF

 vault policy write autounseal policies/autounseal.hcl
-vault token create -policy="autounseal" -wrap-ttl=120
+
+vault token create -policy="autounseal" -wrap-ttl=120 -ttl=87600h
 VAULT_TOKEN="wrapping token" vault unwrap
 ```

-### Auto unseal
+### Enable auto unseal with kube cluster

 #### Create a test vault in a new namespace

@@ -656,9 +722,9 @@ kubectl exec -ti vault-1 -- vault operator raft join http://vault-0.vault-intern
 kubectl exec -ti vault-2 -- vault operator raft join http://vault-0.vault-internal:8200
 ```

-### SSH
+## SSH

-#### Client key signing
+### Client key signing

 Enable secrets engine and generate a key

@@ -667,6 +733,15 @@ vault secrets enable -path=ssh-client-signer ssh
 vault write ssh-client-signer/config/ca generate_signing_key=true
 ```

+To enable port-forwarding you'll need to update the parameters:
+
+```hcl
+{
+  "permit-port-forwarding": ""
+  "permit-pty"
+}
+```
+
 Retrieve the public CA (and add it to your /etc/ssh/trusted-user-ca-keys.pem) with

 ```bash
@@ -754,7 +829,7 @@ ssh -i signed-cert.pub -i ~/.ssh/test_rsa client
 ssh -i ~/.ssh/test_rsa client
 ```

-#### Server Host Signing
+### Server Host Signing

 Enable secrets engine

@@ -825,3 +900,169 @@ Add certificate to client
 ```bash
 echo '@cert-authority *.ducoterra.net '$(vault read -field=public_key ssh-host-signer/config/ca) >> ~/.ssh/known_hosts
 ```
+
+## AWS
+
+### Credential Management
+
+https://www.vaultproject.io/docs/secrets/aws
+
+Enable AWS secrets
+
+```bash
+vault secrets enable aws
+vault secrets tune -default-lease-ttl=24h aws
+```
+
+Allow user to access AWS path
+
+```hcl
+path "aws/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+```
+
+#### Create a vault-secret user
+
+```bash
+# Generate a vault-root-user
+export VAULT_ROOT_USER_ARN=$(aws iam create-user --user-name vault-root-user | jq -r '.User.Arn')
+
+# Create a root user policy template with the user arn
+export ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+export VAULT_PUPPET_ARNS='arn:aws:iam::'$ACCOUNT_ID':user/vault-*'
+jq -r ".Statement[].Resource[0] = \"$VAULT_PUPPET_ARNS\"" < aws/vault_root_policy.json > /tmp/vault_root_policy.json
+# Create the vault root user policy from the template
+export VAULT_ROOT_USER_POLICY_ARN=$(aws iam create-policy --policy-name vault-root-policy --policy-document file:///tmp/vault_root_policy.json | jq -r '.Policy.Arn')
+# Attach the vault root user policy
+aws iam attach-user-policy --user-name vault-root-user --policy-arn $VAULT_ROOT_USER_POLICY_ARN
+
+# Create the key rotation policy
+jq -r ".Statement[].Resource[0] = \"$VAULT_ROOT_USER_ARN\"" < aws/vault_root_rotate_policy.json > /tmp/vault_root_rotate_policy.json
+export VAULT_ROOT_USER_ROTATE_POLICY_ARN=$(aws iam create-policy --policy-name vault-root-rotate-policy --policy-document file:///tmp/vault_root_rotate_policy.json | jq -r '.Policy.Arn')
+# Attach the key rotation policy
+aws iam attach-user-policy --user-name vault-root-user --policy-arn $VAULT_ROOT_USER_ROTATE_POLICY_ARN
+
+# Create access keys for the vault-root-user
+export $(aws iam create-access-key --user-name vault-root-user | jq -r '"VAULT_ROOT_ACCESS_KEY_ID=\(.AccessKey.AccessKeyId) VAULT_ROOT_SECRET_ACCESS_KEY=\(.AccessKey.SecretAccessKey)"')
+```
+
+Write aws root config with access key and secret key from above
+
+```bash
+vault write aws/config/root \
+    access_key=$VAULT_ROOT_ACCESS_KEY_ID \
+    secret_key=$VAULT_ROOT_SECRET_ACCESS_KEY \
+    region=us-east-2
+```
+
+Rotate your credentials
+
+```bash
+vault write -f aws/config/rotate-root
+```
+
+#### Creating IAM Users
+
+Create a terraform-user role
+
+```bash
+vault write aws/roles/terraform-user \
+    credential_type=iam_user \
+    policy_document=@aws/terraform_policy.json
+```
+
+Read credentials
+
+```bash
+vault read aws/creds/terraform-user
+```
+
+Automate credentials generation (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)
+
+```bash
+export $(vault read -format json aws/creds/terraform-user | jq -r '"AWS_ACCESS_KEY_ID=\(.data.access_key) AWS_SECRET_ACCESS_KEY=\(.data.secret_key)"')
+export AWS_DEFAULT_REGION=us-east-2
+export AWS_PROFILE=default
+aws configure set region $AWS_DEFAULT_REGION --profile default
+aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile default
+aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile default
+```
+
+#### STS Tokens
+
+To create STS federated tokens use the following permissions:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": [
+      "sts:GetFederationToken"
+    ],
+    "Resource": "*"
+  }
+}
+```
+
+Create a role with the example policy
+
+```bash
+vault write aws/roles/ec2_admin \
+    credential_type=federation_token \
+    policy_document=@aws/ec2_admin.json
+```
+
+Generate a role with a ttl of 60 minutes
+
+```bash
+vault write aws/sts/ec2_admin ttl=24h
+```
+
+### Authentication
+
+#### Create a vault aws policy
+
+```bash
+vault policy write aws_wireguard policies/aws_wireguard.hcl
+```
+
+#### Create a vault-auth user
+
+```bash
+# Generate a vault-auth-user
+export VAULT_AUTH_USER_ARN=$(aws iam create-user --user-name vault-auth-user | jq -r '.User.Arn')
+
+# Create an auth user policy template with the user arn
+export ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+# Create the vault auth user policy from the template
+export VAULT_AUTH_USER_POLICY_ARN=$(aws iam create-policy --policy-name vault-auth-policy --policy-document file://aws/vault_auth_policy.json | jq -r '.Policy.Arn')
+# Attach the vault root user policy
+aws iam attach-user-policy --user-name vault-auth-user --policy-arn $VAULT_AUTH_USER_POLICY_ARN
+
+# Generate credentials
+export $(aws iam create-access-key --user-name vault-auth-user | jq -r '"VAULT_AUTH_ACCESS_KEY_ID=\(.AccessKey.AccessKeyId) VAULT_AUTH_SECRET_ACCESS_KEY=\(.AccessKey.SecretAccessKey)"')
+# Write credentials to vault
+vault write auth/aws/config/client secret_key=$VAULT_AUTH_SECRET_ACCESS_KEY access_key=$VAULT_AUTH_ACCESS_KEY_ID
+```
+
+#### Create a vault-auth role
+
+```bash
+# Create the role
+exort VAULT_AUTH_ROLE_ARN=$(aws iam create-role --role-name vault-auth-role --assume-role-policy-document file://aws/vault_auth_trust_policy.json | jq -r '.Role.Arn')
+```
+
+#### Create the vault role with the role arn
+
+```bash
+vault write auth/aws/role/aws-wireguard auth_type=iam bound_iam_principal_arn=$VAULT_AUTH_ROLE_ARN policies=aws_wireguard max_ttl=30m
+vault write auth/aws/config/client iam_server_id_header_value=vault.ducoterra.net
+```
+
+#### Login on the ec2 instance
+
+```bash
+vault login -method=aws header_value=vault.ducoterra.net role=aws-wireguard
+```
--- a/aws/ec2_admin.json
+++ b/aws/ec2_admin.json
@@ -0,0 +1,13 @@
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Action": [
+            "ec2:*",
+            "elasticloadbalancing:*",
+            "cloudwatch:*",
+            "autoscaling:*"
+        ],
+        "Resource": "*"
+    }
+}
--- a/aws/terraform_policy.json
+++ b/aws/terraform_policy.json
@@ -0,0 +1,35 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "ec2:*",
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "elasticloadbalancing:*",
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "cloudwatch:*",
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "autoscaling:*",
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "iam:*",
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "route53:*",
+            "Resource": "*"
+        }
+    ]
+}
--- a/aws/vault_auth_policy.json
+++ b/aws/vault_auth_policy.json
@@ -0,0 +1,28 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeInstances",
+                "iam:GetInstanceProfile",
+                "iam:GetUser",
+                "iam:GetRole"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "ManageOwnAccessKeys",
+            "Effect": "Allow",
+            "Action": [
+                "iam:CreateAccessKey",
+                "iam:DeleteAccessKey",
+                "iam:GetAccessKeyLastUsed",
+                "iam:GetUser",
+                "iam:ListAccessKeys",
+                "iam:UpdateAccessKey"
+            ],
+            "Resource": "arn:aws:iam::*:user/${aws:username}"
+        }
+    ]
+}
--- a/aws/vault_auth_trust_policy.json
+++ b/aws/vault_auth_trust_policy.json
@@ -0,0 +1,13 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "ec2.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}
--- a/aws/vault_root_policy.json
+++ b/aws/vault_root_policy.json
@@ -0,0 +1,27 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:AttachUserPolicy",
+                "iam:CreateAccessKey",
+                "iam:CreateUser",
+                "iam:DeleteAccessKey",
+                "iam:DeleteUser",
+                "iam:DeleteUserPolicy",
+                "iam:DetachUserPolicy",
+                "iam:ListAccessKeys",
+                "iam:ListAttachedUserPolicies",
+                "iam:ListGroupsForUser",
+                "iam:ListUserPolicies",
+                "iam:PutUserPolicy",
+                "iam:AddUserToGroup",
+                "iam:RemoveUserFromGroup"
+            ],
+            "Resource": [
+                "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-*"
+            ]
+        }
+    ]
+}
--- a/aws/vault_root_rotate_policy.json
+++ b/aws/vault_root_rotate_policy.json
@@ -0,0 +1,14 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetUser"
+            ],
+            "Resource": [
+                "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/vault-root-user"
+            ]
+        }
+    ]
+}
--- a/helm/ha.yaml
+++ b/helm/ha.yaml
@@ -3,6 +3,12 @@ global:

 server:

+  tolerations: |
+    - key: "type"
+      operator: "Equal"
+      value: "pi"
+      effect: "NoSchedule"
+
  extraSecretEnvironmentVars:
    - envName: VAULT_TOKEN
      secretName: auto-unseal-token
@@ -22,7 +28,7 @@ server:
        }

        seal "transit" {
-          address = "https://3.14.3.105:8200"
+          address = "http://pi-vault.dnet:8200"
          disable_renewal = "false"
          key_name = "autounseal"
          mount_path = "transit/"
@@ -41,7 +47,6 @@ server:
  dataStorage:
    enabled: true
    size: 32Gi
-    storageClass: zfs-nfs-nvme
    accessMode: ReadWriteOnce

  ingress:
--- a/helm/standalone.yaml
+++ b/helm/standalone.yaml
@@ -3,19 +3,33 @@ global:

 server:

+  extraSecretEnvironmentVars:
+    - envName: VAULT_TOKEN
+      secretName: auto-unseal-token
+      secretKey: VAULT_TOKEN
+
  standalone:
    enabled: true
    config: |
-      ui = true
+        ui = true

-      listener "tcp" {
-        tls_disable = 1
-        address = "[::]:8200"
-        cluster_address = "[::]:8201"
-      }
-      storage "file" {
-        path = "/vault/data"
-      }
+        listener "tcp" {
+          tls_disable = 1
+          address = "[::]:8200"
+          cluster_address = "[::]:8201"
+        }
+
+        seal "transit" {
+          address = "https://pi-vault.dnet:8200"
+          disable_renewal = "false"
+          key_name = "autounseal"
+          mount_path = "transit/"
+          tls_skip_verify = "true"
+        }
+
+        storage "file" {
+          path = "/vault/data"
+        }

  dataStorage:
    enabled: true
--- a/policies/aws_wireguard.hcl
+++ b/policies/aws_wireguard.hcl
@@ -0,0 +1,7 @@
+path "secret/data/wireguard/aws/*" {
+    capabilities = ["read", "list"]
+}
+
+path "secret/metadata/wireguard/aws/*" {
+    capabilities = ["read"]
+}
--- a/policies/ducoterra.hcl
+++ b/policies/ducoterra.hcl
@@ -29,3 +29,7 @@ path "ssh-host-signer/sign/*" {
 path "ssh-host-signer/roles/*" {
    capabilities = ["create", "read", "update", "delete", "list"]
 }
+
+path "aws/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
--- a/setenv.sh
+++ b/setenv.sh
@@ -1 +0,0 @@
-kubectl config set current-context k3os-alpha.dnet-admin-vault
				`@@ -1 +0,0 @@`
				`kubectl config set current-context k3os-alpha.dnet-admin-vault`