Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/philips-labs/spiffe-vault
Integrates Spiffe and Vault to have secretless authentication
https://github.com/philips-labs/spiffe-vault
bottom-turtle code-signing cosign hacktoberfest hashicorp helm k8s kubernetes secrets spiffe spire terraform vault zero-trust
Last synced: 3 months ago
JSON representation
Integrates Spiffe and Vault to have secretless authentication
- Host: GitHub
- URL: https://github.com/philips-labs/spiffe-vault
- Owner: philips-labs
- License: mit
- Created: 2021-08-26T10:53:00.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2024-07-11T11:58:11.000Z (4 months ago)
- Last Synced: 2024-07-11T13:25:38.668Z (4 months ago)
- Topics: bottom-turtle, code-signing, cosign, hacktoberfest, hashicorp, helm, k8s, kubernetes, secrets, spiffe, spire, terraform, vault, zero-trust
- Language: Go
- Homepage:
- Size: 271 KB
- Stars: 79
- Watchers: 4
- Forks: 7
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
Awesome Lists containing this project
- awesome-spiffe-spire - SPIFFE Vault
- awesome-go-extra - spiffe-vault - 08-26T10:53:00Z|2022-08-23T07:26:09Z| (Zero Trust / Tutorials)
README
# SPIFFE Vault
Integrates [SPIFFE][spiffe] SVID authentication with [Hashicorp Vault][hashivault] to retrieve a `VAULT_TOKEN`.
[](https://github.com/philips-labs/spiffe-vault/actions/workflows/golang.yml)
[](https://goreportcard.com/report/github.com/philips-labs/spiffe-vault)
[](https://codecov.io/gh/philips-labs/spiffe-vault)
## Example usecases
- Read secrets from Hashicorp Vault [Hashicorp Vault][hashivault] without providing a secret to authenticate against [Hashicorp Vault][hashivault]. Instead we will be using a [SPIFFE][spiffe] SVID to authenticate ourself against [Hashicorp Vault][hashivault].
- Perform secretless/keyless code signing by utilizing the [Hashicorp Vault Transit engine](https://www.vaultproject.io/docs/secrets/transit) as a software defined HSM. This resolves the issue of having signing keys on a local machine as well resolves the issue of managing secrets to access the signing keys. Again we utilize the [SPIFFE][spiffe] SVID to authenticate against Hashicorp Vault.
[hashivault]: https://vaultproject.org "hashicorp Vault"
[spiffe]: https://spiffe.io "SPIFFE"
## Build
### Compile
```bash
make build
```
### Docker
Using the default `DOCKER_HOST` on your system (usually `unix:///var/run/docker.sock`), you can build the docker image with:
```bash
make image
```
Using e.g. the colima `DOCKER_HOST` (usually `unix:///Users/marco/.colima/default/docker.sock`), you can build the docker image with:
```bash
DOCKER_HOST=unix:///Users/marco/.colima/default/docker.sock make image
```
## Use
### Basic
```bash
$ export VAULT_ADDR=http://localhost:8200
$ bin/spiffe-vault auth -role my-role
# Export following environment variable to authenticate to Hashicorp Vault
export VAULT_TOKEN=s.IK1LBrCGXFQDAgawmhNLbcDH
```
### Advanced
Depending on the shell you are using you can automatically export the variable.
bash
```bash
$ export VAULT_ADDR=http://localhost:8200
$ echo "$(bin/spiffe-vault auth -role my-role)" > /tmp/spiffe-vault
$ source /tmp/spiffe-vault
$ vault kv get secrets/my-key
====== Metadata ======
Key Value
--- -----
created_time 2021-08-24T08:20:54.925866504Z
deletion_time n/a
destroyed false
version 1
============= Data =============
Key Value
--- -----
username marco
password Supers3cr3t!
$ vault token lookup
Key Value
--- -----
accessor rwpXIHXzbVIMN2TL25Lfssef
creation_time 1629970184
creation_ttl 1m
display_name jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend
entity_id 8904661e-5a9f-3af5-c269-257e8a0a31d0
expire_time 2021-08-26T09:30:44.424072877Z
explicit_max_ttl 0s
id s.eOdhqe1hVV0OPS7M0TSeEqjG
issue_time 2021-08-26T09:29:44.424078028Z
meta map[role:my-role]
num_uses 0
orphan true
path auth/jwt/login
policies [default my-role]
renewable true
ttl 13s
type service
$ vault token renew
Key Value
--- -----
token s.f1mFvr0TdEuvmfcZT0jBLCc5
token_accessor vxginlb81XMEIPefLpRz1P24
token_duration 1m
token_renewable true
token_policies ["default" "my-role"]
identity_policies []
policies ["default" "my-role"]
token_meta_role my-role
$ vault token lookup
Key Value
--- -----
accessor vxginlb81XMEIPefLpRz1P24
creation_time 1629970320
creation_ttl 1m
display_name jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend
entity_id 8904661e-5a9f-3af5-c269-257e8a0a31d0
expire_time 2021-08-26T09:33:53.57444787Z
explicit_max_ttl 0s
id s.f1mFvr0TdEuvmfcZT0jBLCc5
issue_time 2021-08-26T09:32:00.135787193Z
last_renewal 2021-08-26T09:32:53.574447972Z
last_renewal_time 1629970373
meta map[role:my-role]
num_uses 0
orphan true
path auth/jwt/login
policies [default my-role]
renewable true
ttl 56s
type service
$ vault write transit/sign/my-key input="$(echo stuff | base64)"
Key Value
--- -----
key_version 1
signature vault:v1:MEUCIFAWmHPyLJ6V0mjMgqr5UnV40bkCEUEGqApcYI54VAPIAiEAqyG2VkFc2wpYs/n47mK4vgfTVbXjWJzMM7Fxr/bR7LE=
$ vault write transit/verify/my-key input="$(echo stuff | base64)" signature=vault:v1:MEUCIFAWmHPyLJ6V0mjMgqr5UnV40bkCEUEGqApcYI54VAPIAiEAqyG2VkFc2wpYs/n47mK4vgfTVbXjWJzMM7Fxr/bR7LE=
```
zsh
```zsh
$ export VAULT_ADDR=http://localhost:8200
$ source <(bin/spiffe-vault auth -role my-role)
$ vault kv get secrets/my-key
====== Metadata ======
Key Value
--- -----
created_time 2021-08-24T08:20:54.925866504Z
deletion_time n/a
destroyed false
version 1
============= Data =============
Key Value
--- -----
username marco
password Supers3cr3t!
$ vault token lookup
Key Value
--- -----
accessor rwpXIHXzbVIMN2TL25Lfssef
creation_time 1629970184
creation_ttl 1m
display_name jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend
entity_id 8904661e-5a9f-3af5-c269-257e8a0a31d0
expire_time 2021-08-26T09:30:44.424072877Z
explicit_max_ttl 0s
id s.eOdhqe1hVV0OPS7M0TSeEqjG
issue_time 2021-08-26T09:29:44.424078028Z
meta map[role:my-role]
num_uses 0
orphan true
path auth/jwt/login
policies [default my-role]
renewable true
ttl 13s
type service
$ vault token renew
Key Value
--- -----
token s.f1mFvr0TdEuvmfcZT0jBLCc5
token_accessor vxginlb81XMEIPefLpRz1P24
token_duration 1m
token_renewable true
token_policies ["default" "my-role"]
identity_policies []
policies ["default" "my-role"]
token_meta_role my-role
$ vault token lookup
Key Value
--- -----
accessor vxginlb81XMEIPefLpRz1P24
creation_time 1629970320
creation_ttl 1m
display_name jwt-spiffe://dev.localhost/ns/my-app/sa/my-app-backend
entity_id 8904661e-5a9f-3af5-c269-257e8a0a31d0
expire_time 2021-08-26T09:33:53.57444787Z
explicit_max_ttl 0s
id s.f1mFvr0TdEuvmfcZT0jBLCc5
issue_time 2021-08-26T09:32:00.135787193Z
last_renewal 2021-08-26T09:32:53.574447972Z
last_renewal_time 1629970373
meta map[role:my-role]
num_uses 0
orphan true
path auth/jwt/login
policies [default my-role]
renewable true
ttl 56s
type service
$ vault write transit/sign/my-key input="$(echo stuff | base64)"
Key Value
--- -----
key_version 1
signature vault:v1:MEUCIFAWmHPyLJ6V0mjMgqr5UnV40bkCEUEGqApcYI54VAPIAiEAqyG2VkFc2wpYs/n47mK4vgfTVbXjWJzMM7Fxr/bR7LE=
$ vault write transit/verify/my-key input="$(echo stuff | base64)" signature=vault:v1:MEUCIFAWmHPyLJ6V0mjMgqr5UnV40bkCEUEGqApcYI54VAPIAiEAqyG2VkFc2wpYs/n47mK4vgfTVbXjWJzMM7Fxr/bR7LE=
```
See the [example](example) directory for an example infrastructure setup on Kubernetes integration the whole eco-system. This includes a Spire, Vault deployment as well utilizing `spiffe-vault` as en example workload.