金库秘密ID的多次重复使用的方法

偷偷努力，悄无声息地变强，然后惊艳所有人！哈哈，小伙伴们又来学习啦~今天我将给大家介绍《金库秘密ID的多次重复使用的方法》，这篇文章主要会讲到等等知识点，不知道大家对其都有多少了解，下面我们就一起来看一吧！当然，非常希望大家能多多评论，给出合理的建议，我们一起学习，一起进步！

所以我有一个 poc vault，里面有 dockerfile 类似的东西（完整的仓库在这里）：

from hashicorp/vault

run apk add --no-cache bash jq

copy reseller1-policy.hcl /vault/config/reseller1-policy.hcl
copy terraform-policy.hcl /vault/config/terraform-policy.hcl
copy init_vault.sh /init_vault.sh

expose 8200

entrypoint [ "/init_vault.sh" ]

healthcheck \
    --start-period=5s \
    --interval=1s \
    --timeout=1s \
    --retries=30 \
        cmd [ "/bin/sh", "-c", "[ -f /tmp/healthy ]" ]

init_vault.sh 包含：

#!/bin/sh

set -e

export vault_addr='http://127.0.0.1:8200'
export vault_format='json'

# spawn a new process for the development vault server and wait for it to come online
# ref: https://www.vaultproject.io/docs/concepts/dev-server
vault server -dev -dev-listen-address="0.0.0.0:8200" &
sleep 5s

# authenticate container's local vault cli
# ref: https://www.vaultproject.io/docs/commands/login
vault login -no-print "${vault_dev_root_token_id}"

# add policy
# ref: https://www.vaultproject.io/docs/concepts/policies
vault policy write terraform-policy /vault/config/terraform-policy.hcl
vault policy write reseller1-policy /vault/config/reseller1-policy.hcl

# enable approle auth method
# ref: https://www.vaultproject.io/docs/auth/approle
vault auth enable approle

# configure approle
# ref: https://www.vaultproject.io/api/auth/approle#parameters
vault write auth/approle/role/dummy_role \
    token_policies=reseller1-policy \
    token_num_uses=9000 \
    secret_id_ttl="32d" \
    token_ttl="32d" \
    token_max_ttl="32d"

# overwrite our role id
vault write auth/approle/role/dummy_role/role-id role_id="${approle_role_id}"

# for terraform
# ref: https://www.vaultproject.io/docs/commands/token/create
vault token create \
    -id="${terraform_token}" \
    -policy=terraform-policy \
    -ttl="32d"

# keep container alive
tail -f /dev/null & trap 'kill %1' term ; wait

使用 reseller1-policy.hcl：

# this section grants access for the app
path "secret/data/dummy_config_yaml/reseller1/*" {
  capabilities = ["read"]
}

path "secret/dummy_config_yaml/reseller1/*" { # v1
  capabilities = ["read"]
}

和terraform-policy.hcl：

# grant 'update' permission on the 'auth/approle/role//secret-id' path for generating a secret id
path "auth/approle/role/dummy_role/secret-id" {
  capabilities = ["update"]
}

path "secret/data/dummy_config_yaml/*" {
  capabilities = ["create","update","read","patch","delete"]
}

path "secret/dummy_config_yaml/*" { # v1
  capabilities = ["create","update","read","patch","delete"]
}

path "secret/metadata/dummy_config_yaml/*" {
  capabilities = ["list"]
}

这是从 docker-compose.yml 开始的：

version: '3.3'
services:
  testvaultserver1:
    build: ./vault-server/
    cap_add:
      - ipc_lock
    environment:
      vault_dev_root_token_id: root
      approle_role_id:         dummy_app
      terraform_token:         dummyterraformtoken
    ports:
      - "8200:8200"

然后在 shell 上运行一些脚本 copy_config2vault_secret2tmp.sh：

terraform_token=`cat docker-compose.yml | grep terraform_token | cut -d':' -f2 | xargs echo -n`
vault_address="127.0.0.1:8200"

# retrieve secret for appsecret so dummy app can load the /tmp/secret
curl \
   --request post \
   --header "x-vault-token: ${terraform_token}" \
   --header "x-vault-wrap-ttl: 32d" \
      "${vault_address}/v1/auth/approle/role/dummy_role/secret-id" > /tmp/debug

cat /tmp/debug | jq -r '.wrap_info.token' > /tmp/secret

# check appsecret exists
cat /tmp/debug
cat /tmp/secret

vault_docker=`docker ps| grep vault | cut -d' ' -f 1`

echo 'put secret'
cat config.yaml | docker exec -i $vault_docker vault -v kv put -address=http://127.0.0.1:8200 -mount=secret dummy_config_yaml/reseller1/region99 raw=-

echo 'check secret length'
docker exec -i $vault_docker vault -v kv get -address=http://127.0.0.1:8200 -mount=secret dummy_config_yaml/reseller1/region99 | wc -l

然后创建一个程序来读取机密并从保管库检索 config.yaml：

package main

import (
    "context"
    "fmt"
    "log"
    "time"

    vault "github.com/hashicorp/vault/api"
    "github.com/hashicorp/vault/api/auth/approle"
)

const approleid = `dummy_app`

func main() {
    conf, err := tryusevault(`http://127.0.0.1:8200`, `secret/data/dummy_config_yaml/reseller1/region99`)
    if err != nil {
        log.println(err)
        return
    }
    log.println(conf)
}

func tryusevault(address, configpath string) (string, error) {
    ctx, cancel := context.withtimeout(context.background(), 30*time.second)
    defer cancel()

    const secretfile = `/tmp/secret`

    config := vault.defaultconfig() // modify for more granular configuration
    config.address = address

    client, err := vault.newclient(config)
    if err != nil {
        return ``, fmt.errorf(`failed to create vault client: %w`, err)
    }

    approlesecretid := &approle.secretid{
        fromfile: secretfile,
    }

    approleauth, err := approle.newapproleauth(
        approleid,
        approlesecretid,
        approle.withwrappingtoken(), // only required if the secretid is response-wrapped
    )
    if err != nil {
        return ``, fmt.errorf(`failed to create approle auth: %w`, err)
    }

    authinfo, err := client.auth().login(ctx, approleauth)
    if err != nil {
        return ``, fmt.errorf(`failed to login to vault: %w`, err)
    }

    if authinfo == nil {
        return ``, fmt.errorf(`failed to login to vault: authinfo is nil`)
    }

    log.println("connecting to vault: success!")

    secret, err := client.logical().read(configpath)
    if err != nil {
        return ``, fmt.errorf(`failed to read secret from vault: %w`, err)
    }
    if secret == nil {
        return ``, fmt.errorf(`failed to read secret from vault: secret is nil`)
    }
    if len(secret.data) == 0 {
        return ``, fmt.errorf(`failed to read secret from vault: secret.data is empty`)
    }
    data := secret.data[`data`]
    if data == nil {
        return ``, fmt.errorf(`failed to read secret from vault: secret.data.data is nil`)
    }
    m, ok := data.(map[string]interface{})
    if !ok {
        return ``, fmt.errorf(`failed to read secret from vault: secret.data.data is not a map[string]interface{}`)
    }
    raw, ok := m[`raw`]
    if !ok {
        return ``, fmt.errorf(`failed to read secret from vault: secret.data.data.raw is nil`)
    }
    rawstr, ok := raw.(string)
    if !ok {
        return ``, fmt.errorf(`failed to read secret from vault: secret.data.data.raw is not a string`)
    }

    // set viper from string
    return rawstr, nil
}

它工作正常，但问题是，秘密只能使用一次

$ ./copy_config2vault_secret2tmp.sh 
{"request_id":"","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":{"token":"hvs.caesidse_hr3-cw1cllotqovahes55vi1mcdemmbwbsavds6gh4khgh2cy5qdzq0bzlxrtj6muzjufroegpswfrzv0e","accessor":"7jlabmbzgvhkpckad7qkpx5j","ttl":2764800,"creation_time":"2023-07-18t19:34:48.619332723z","creation_path":"auth/approle/role/dummy_role/secret-id","wrapped_accessor":"2493fc83-aaf6-7553-dd04-2ccedc39a4b1"},"warnings":null,"auth":null}
hvs.caesidse_hr3-cw1cllotqovahes55vi1mcdemmbwbsavds6gh4khgh2cy5qdzq0bzlxrtj6muzjufroegpswfrzv0e
put secret
================== secret path ==================
secret/data/dummy_config_yaml/reseller1/region99

======= metadata =======
key                value
---                -----
created_time       2023-07-18t19:34:48.827508755z
custom_metadata    
deletion_time      n/a
destroyed          false
version            9
check secret length
19

一旦工作正常即可检索它：

$ go run main.go
2023/07/19 02:35:52 connecting to vault: success!
2023/07/19 02:35:52 
this:
  is:
    some:
      secret: a35)*&bn)(*&%tn_@#

但是当我第二次运行它时，它总是出错（除非我再次运行 get secret copy_config2vault_secret2tmp.sh 脚本）：

$ go run main.go
2023/07/19 02:36:06 failed to login to vault: unable to log in to auth method: unable to unwrap response wrapping token: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/wrapping/unwrap
Code: 400. Errors:

* wrapping token is not valid or does not exist

秘密id是否被设计为只能使用一次？或者如果不是，可能的原因是什么？

正确答案

包装令牌仅限一次性使用。这就是为什么只有在运行 Go 应用程序之前执行 copy_config2vault_secret2tmp.sh 时它才有效。

作为 Vault 文档的参考：

当新创建的令牌被包装时，Vault 会插入生成的令牌 将令牌放入一次性令牌的小隔间中，返回该令牌 一次性包装令牌。取回秘密需要解开包装 针对此包装令牌的操作。

这个特定部分解释了包装令牌的使用可能有助于理解细节： https://developer.hashicorp.com/vault/tutorials/secrets-management/cubbyhole-response-wrapping#step-2-unwrap-the-secret

好了，本文到此结束，带大家了解了《金库秘密ID的多次重复使用的方法》，希望本文对你有所帮助！关注golang学习网公众号，给大家分享更多Golang知识！