Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/googlecloudplatform/vault-plugin-secrets-gcppca

Vault Plugin: Google Cloud Platform CA Service
https://github.com/googlecloudplatform/vault-plugin-secrets-gcppca

google-cloud google-cloud-platform vault-plugin

Last synced: 5 days ago
JSON representation

Vault Plugin: Google Cloud Platform CA Service

Awesome Lists containing this project

README 

        

# Vault Plugin:  Google Cloud Platform CA Service



This is a backend plugin to be used with [Hashicorp Vault](https://www.github.com/hashicorp/vault) to provide certificates issued by [Google Cloud Platform Certificate Authority Service](https://cloud.google.com/certificate-authority-service/docs)



> This is not an officially supported Google product



## Usage



This guide assumes you have already installed Vault and have a basic understanding of how Vault works as well as basics of GCP Certificate Authority Service. Otherwise, first read this guide on how to [get started with Vault](https://www.vaultproject.io/intro/getting-started/install.html) as well as [Google Cloud Platform Certificate Authority Service](https://cloud.google.com/certificate-authority-service/docs).



This plugin will issue certificates through Vault where either the privateKey and Certificate Signing Request (CSR) gets generated by the plugin or where the CSR is provided _to_ the plugin.  Plugin will not manage the CA or Subordinate CA lifecycle (create/delete CA, etc) for GCP CA Service. 



> This plugin is *not* packaged with Vault and must be added in manually.



### QuickStart



For quick-start, you can either use the pre-built plugin binary or build and run Vault in "dev" mode:



### Dev



To compile the plugin and run the dev server, you will need `go 1.11+` and `make`



```bash

export GOBIN=`pwd`/bin

make fmt

make dev



vault server -dev -dev-plugin-dir=./bin --log-level=debug

```



Make sure you have setup a private CA with a Certificate Authority and your user or serviceAccount Vault runs as has access to generate and/or revoke certificates.  By default, Vault will use `Application Default Credentials` but you can override that per mount path.



It is recommended to create a IAM Custom Role to the Vault ServiceAccount with the minimum permission it would need to operate.  For more information on how to setup this custom role, see relevant section below.



In a new window in the same directory, configure Vault to use the plugin and enable/mount it at a path.



```bash

export VAULT_ADDR='http://localhost:8200'

export SHASUM=$(shasum -a 256 "bin/vault-plugin-secrets-gcppca" | cut -d " " -f1)



vault plugin register \

    -sha256="${SHASUM}" \

    -command="vault-plugin-secrets-gcppca" \

    secret vault-plugin-secrets-gcppca



vault secrets enable -path="gcppca" \

   --description='Vault CA Service Plugin' \

   --plugin-name='vault-plugin-secrets-gcppca' plugin

```



Note, `scripts.dev.sh` script runs the above commands and runs vault in the background.



To issue certificates, you need to first define a profile (config) for the mount path and then define and use a Vault policy.



1. Define a config profile



A profile dictates the specifications of the CA a specific Vault mount will use.  In the example used here, the mount path is `gcppca` with the CAPool of `my-pool`



```bash

vault write gcppca/config \

	pool="my-pool" \

	location="us-central1" \

	project="your-project-id"  

```



2. Generate and use Vault policy



Once the config has been defined, this plugin can be used in two modes:



a) `Generated`: a key-pair and CSR is generated within `Vault` and the CSR signed by `CA Service` 



or



b) `Provided`: Certificate Request `CSR` is provided to the plugin.



Under no circumstance does this plugin retain the private key for any certificate.



- The sub-path under `/issue-with-genkey/` is intended for Vault generated keys.



- The sub-path under `/issue-with-csr/` is intended for user-provided CSR



This plugin will create a certificate within GCP CA Service with a certificate `Name` using the final path parameter in the Vault resource path.  For example, `gcppca/issue-with-genkey/my_tls_cert_rsa_1` will create a GCP CA Service Resource path `projects/your-project-id/locations/us-central1/caPools/my-pool/certificates/my_tls_cert_rsa_1`.  This is the actual CA Service unique name for the certificate and cannot be reused once created.



Deleting the key in Vault will revoke the certificate in CA Service which also means the same name cannot be reused.



The examples below uses a default certificate authority pool with a CA.  That is, you should have a set pre-generated



```

```bash

$ gcloud privateca pools create my-pool-1 --location=us-central1

$ gcloud privateca roots create ca-1 --location=us-central1 --pool my-pool-1 \

   --subject "C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"

```



### Vault Generated



To generate a certificate keypair on vault, first apply a configuration that allows Vault to reference which CA to sign against 



The configuration below will generate a certificate called `my_tls_cert_rsa_1` within CA Service using a GCP CA `prod-root` that was defined separately. 



Apply the config and acquire a `VAULT_TOKEN` based off of those policies.



```bash

vault policy write genkey-policy -</issue-with-csr/`  path



As before, the CA configuration was defined earlier at the root mount path (eg, `gcppca/`)



Apply the config and acquire a `VAULT_TOKEN` based off of those policies



```bash

vault policy write csr-policy -<