DEV Community

πŸ¦„N BπŸ›‘ for DigitalOnUs

Posted on • Updated on

Dealing with Vault Leases via Accessors

Often, when administering Vault Enterprise, after its deployment, you'll need to configure it.

Much of the work after designing and planning is configuring Vault Enterprise via its API, or a wrapper of the API.

However, there come times, especially when troubleshooting or automating something, when an admin of Vault Enterprise has to manage the state within Vault, itself, rather than just the configuration.

This is especially true if there is a problem, like potential undesired access or application misbehavior.

What if you want to, as part of an investigation, see all of the currently valid access tokens, Azure Creds, or Database credentials that were created on a specific day?

I'll show you a script that will do this for you. Before we do that, though, we'll download a binary file to set up a "dummy" Vault to test on. You don't have to install anything, or write any configuration files.

For some background, I recommend reading about Vault Leases & the leasing "hierarchy" that Vault uses before we go further:

https://www.vaultproject.io/guides/identity/lease/

The documentation might be a bit confusing, but hopefully using it over the course of this guide will make things more clear.

Download Vault

We'll download the binary for HashiCorp Vault, because we can use it to run an easy Vault server:

https://www.vaultproject.io/downloads.html

After you have downloaded and extracted the binary file, open a Terminal window.

If You're on a Mac, Open a Bash Terminal

Open your Applications folder, then Utilities and double-click on Terminal, or press Command + spacebar to launch Spotlight, then type "Terminal", and double-click on the search result. You'll see a small window with a white background open o your desktop.

If you're on a Windows OS, Open a Shell Terminal

Open the Run dialog by holding the Windows key, and pressing R once. Then, enter cmd. When you press the Enter key, after entering cmd, you will see a black window with white text.

In your shell terminal that you just opened, use the cd command, along with the dir or ls commands, to navigate to where you downloaded Vault.

Run a Vault Server

Enter the following in the terminal when you have navigated your terminal to the folder in which you have downloaded and extracted Vault:

./vault server -dev -dev-root-token-id=root

You should see some output, from Vault, but you will not be able to enter more commands in this terminal.

To keep entering more commands, open another terminal, and navigate to the same folder in which you had downloaded and extracted Vault.

Connect to Vault

Mac: export VAULT_TOKEN=root
export VAULT_ADDR=http://127.0.0.1:8200
./vault status

The last command, the one with status, should show the status of your Vault. That shows that you can connect to it.

Download the script

git clone https://github.com/v6/delete_old_tokens
cd delete_old_tokens

Run the script

(This part might not work on Windows, but please don't let me stop you from converting the code to PowerShell or the like.)

./list_accessor_issue_time.sh | grep 2019-09-13

If you wanted to search for a different day, say, September 20, 2019, you would run the following, instead:

./list_accessor_issue_time.sh | grep 2019-09-20

Discussion (1)

Collapse
v6 profile image
πŸ¦„N BπŸ›‘ Author

// , If there's interest, I will add a second part to this, including guidelines for how to use features like these to grant as much transparency as possible to an external security audit.