boundary
boundary copied to clipboard
Published
20 hours ago •
hashicorp
hashicorp
allow for wrapped vault auth tokens
trafficstars
TODO: needs automated testing, but tested locally using boundary dev and vault running in docker
successful unwrapping of a vault token within boundary
~/codebase/boundary % export BOUNDARY_VAULT_TOKEN=$(vault token create \
-format=json \
-no-default-policy=true \
-policy="boundary-controller" \
-policy="cred" \
-policy="ssh" \
-orphan=true \
-period=24h \
-renewable=true \
-wrap-ttl=600000 \
| jq -r '.wrap_info.token')
~/codebase/boundary % curl \
$VAULT_ADDR/v1/sys/wrapping/lookup \
-d "{ \"token\": \"$BOUNDARY_VAULT_TOKEN\" }" \
| jq
{
"request_id": "4ab1c0a4-3182-4787-1296-853817fd6d3c",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"creation_path": "auth/token/create",
"creation_time": "2024-06-10T23:32:46.599011514Z",
"creation_ttl": 600000
},
"wrap_info": null,
"warnings": null,
"auth": null
}
~/codebase/boundary % boundary credential-stores create vault \
-vault-address $VAULT_ADDR \
-vault-token=$BOUNDARY_VAULT_TOKEN \
-scope-id=$PROJECT_ID \
-vault-token-wrapped=true
Credential Store information:
Created Time: Mon, 10 Jun 2024 19:32:54 EDT
ID: csvlt_fKeGc7nWxH
Type: vault
Updated Time: Mon, 10 Jun 2024 19:32:54 EDT
Version: 1
Scope:
ID: p_PMLRKyXakh
Name:
Parent Scope ID: o_dyRaQYISOg
Type: project
Authorized Actions:
read
update
delete
no-op
Authorized Actions on Credential Store's Collections:
credential-libraries:
create
list
Attributes:
Address: http://127.0.0.1:8200
Token HMAC: A72rYxItfdUG4K8jZAyrOGPaej6GbnjAwhmt4dB9uGQ
Token Status: current
token was unwrapped by an attacker and rejected
~/codebase/boundary % export BOUNDARY_VAULT_TOKEN=$(vault token create \
-format=json \
-no-default-policy=true \
-policy="boundary-controller" \
-policy="cred" \
-policy="ssh" \
-orphan=true \
-period=24h \
-renewable=true \
-wrap-ttl=600000 \
| jq -r '.wrap_info.token')
~/codebase/boundary % curl \
$VAULT_ADDR/v1/sys/wrapping/lookup \
-d "{ \"token\": \"$BOUNDARY_VAULT_TOKEN\" }" \
| jq
{
"request_id": "57147327-5287-cf83-7d69-2e28b2b6f4b1",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"creation_path": "auth/token/create",
"creation_time": "2024-06-10T23:42:47.442755083Z",
"creation_ttl": 600000
},
"wrap_info": null,
"warnings": null,
"auth": null
}
~/codebase/boundary % export UNWRAPPED_TOKEN=$(VAULT_TOKEN=$BOUNDARY_VAULT_TOKEN \
vault unwrap \
-format=json \
| jq -r '.auth.client_token')
~/codebase/boundary % export REWRAPPED_TOKEN=$(curl \
--header "X-Vault-Token: $UNWRAPPED_TOKEN" \
--header "X-Vault-Wrap-TTL: 6000" \
-X POST $VAULT_ADDR/v1/sys/wrapping/wrap \
-d "{ \"auth\": { \"client_token\": \"$UNWRAPPED_TOKEN\" } }" \
| jq -r '.wrap_info.token')
~/codebase/boundary % boundary credential-stores create vault \
-vault-address $VAULT_ADDR \
-vault-token=$REWRAPPED_TOKEN \
-scope-id=$PROJECT_ID \
-vault-token-wrapped=true
Error from controller when performing create on vault-type credential store
Error information:
Kind: Internal
Message: credentialstores.(Service).createInRepo: unable to create credential store:
vault.(Repository).CreateCredentialStore: vault.(CredentialStore).Unwrap: vault token creation
path did not match the expected path
Status: 500
context: Error from controller when performing create on vault-type credential store
