Saltstack and Vault integration

First install and configure vault using this tutorial:
https://apassionatechie.wordpress.com/2017/03/05/hashicorp-vault/

Use the latest version of vault.

Then install salt using the steps given here:
https://docs.saltstack.com/en/latest/topics/installation/

If you face any issues then refer these links:
https://apassionatechie.wordpress.com/2017/07/31/salt-issues/

https://apassionatechie.wordpress.com/2017/08/03/salt-stack-formulas/

Now let’s integrate vault and salt so that we can access vault secrets from inside salt state.

1. First let’s add some key values into our vault.
  vault write secret/ssh/user1 password=”abc123″
  Then you can check it by reading: vault read secret/ssh/user1
2. To allow salt to access your secrets you must firstly create a policy as follows:
  salt-policy.hcl
```
path "secret/*" {
  capabilities = ["read", "list"]
}

path "auth/*" {
  capabilities = ["read", "list","sudo","create","update","delete"]
}
```
  You can also point to your secret like secret/ssh/*
  We have added auth/* so that our token can create other tokens.
3. Then create a new policy with the following command:
  vault policy-write salt-policy salt-policy.hcl
4. Then we will create a token from the new salt-policy
  vault token-create -policy=salt-policy
  Save the token created.
5. Then in the salt-master create a file:
  /etc/salt/master.d/vault.conf with the follwoing contents:
```
vault:
  url: http://127.0.0.1:8200
  auth:
    method: token
    token: xxxxxx48-xxxx-xxxx-xxxx-xxxx1xxxx<span 				data-mce-type="bookmark" 				id="mce_SELREST_start" 				data-mce-style="overflow:hidden;line-height:0" 				style="overflow:hidden;line-height:0" 			></span>c4a
  policies:
      - salt-policy
```
  Then create a file /etc/salt/master.d//peer_run.conf
```
peer_run:
    .*:
        - vault.generate_token
```
  Then restart the salt-master with service salt-master restart
6. Then execute the following command to access the secret stored in vault:
  salt ‘*’ vault.read_secret “secret/ssh/user1”
7. To access the secret from inside jinja:
  my-secret: {{ salt[‘vault’].read_secret(‘secret/ssh/user1’, ‘password’) }}
  OR
  {% set supersecret = salt[‘vault’].read_secret(‘secret/ssh/user1’) %}
  secrets:
  my_secret: {{ supersecret.password }}
8. If you want to access the secret as pillar then add the following in salt master configuration:
  ext_pillar:
  – vault: sdb_vault path=secret/ssh/user1
  Restart the salt-master and salt-minion
  Then access the data with the following command:
  salt ‘*’ pillar.get ‘password’
  Then refresh the pillar data with: salt ‘*’ saltutil.refresh_pillar
9. If your vault policy is not configured correctly you might get an error as:
  ERROR: {‘error’: ‘Forbidden’}
  2017-09-21 06:51:39,320 [salt.loaded.int.utils.vault][ERROR ][26333] Failed to get token from master! An error was returned: Forbidden
  2017-09-21 06:51:39,350 [salt.pillar ][ERROR ][26333] Execption caught loading ext_pillar ‘vault’:
  File “/usr/lib/python2.7/site-packages/salt/pillar/__init__.py”, line 822, in ext_pillar
  key)
  File “/usr/lib/python2.7/site-packages/salt/pillar/__init__.py”, line 765, in _external_pillar_data
  val)
  File “/usr/lib/python2.7/site-packages/salt/pillar/vault.py”, line 91, in ext_pillar
  response = __utils__[‘vault.make_request’](‘GET’, url)
  File “/usr/lib/python2.7/site-packages/salt/utils/vault.py”, line 124, in make_request
  connection = _get_vault_connection()
  File “/usr/lib/python2.7/site-packages/salt/utils/vault.py”, line 113, in _get_vault_connection
  return _get_token_and_url_from_master()
  File “/usr/lib/python2.7/site-packages/salt/utils/vault.py”, line 89, in _get_token_and_url_from_master
  raise salt.exceptions.CommandExecutionError(result)2017-09-21 06:51:39,351 [salt.pillar ][CRITICAL][26333] Pillar render error: Failed to load ext_pillar vault: {‘error’: ‘Forbidden’}
  
  Make sure you have added auth/* in the policy.
10. If you get the following error:
  Failed to get token from master! No result returned – is the peer publish configuration correct?
  OR
  ERROR: {}
  Then make sure you have peer_run.conf created and configured.
11. You can also access your secret with command:
  salt-call sdb.get ‘sdb://vault/secret/ssh/user1?password’

4 thoughts on “Saltstack and Vault integration”

cDR says:

September 27, 2017 at 12:36 pm

thanks for this writeup!

LikeLiked by 1 person

1. dubb-b says:
  
  October 10, 2017 at 7:34 pm
  
  Thanks, this is great!
  
  LikeLike
  
Tom Murphy says:

November 7, 2017 at 5:34 am

Great article thanks for sharing !

Have you worked out how to have ext_pillar be environment aware ? In Vault I have different data depending on what environment I am in yet there does not seem to be a logical way to do it.

LikeLike

1. aratik711 says:
  
  November 16, 2017 at 6:28 am
  
  Hi,
  Sorry for the late reply. Could you elaborate your use case.
  According to me you should be able to make ext_pillar environment aware by either declaring environment specific pillar variables or having environment specific pillar files, adding the pillars to the database etc.
  
  LikeLike

	gamejudilebaran.word… on Chef: Roles and Environme…
	WARN: Waiting for se… on OSSEC start problem due to…
	aratik711 on Ansible issues
	aratik711 on Chef: Roles and Environme…
	situs judi on Chef: Roles and Environme…

Rate this:

Share this:

4 thoughts on “Saltstack and Vault integration”

Leave a comment Cancel reply