Grant Novota
About Projects Peaks Blog Links Resume

Vault Extensions

Project Overview

This project extended the functionality of Vault to give it a quicker CLI and some automation options. Some of the features were inspired by the standard unix password manager, pass, where the user could quickly navigate to passwords using the tab autocomplete feature. I utilized text prediciton algorithm that would allow the user to quickly navigate to secrets in vault without having to type in the entire path to anything. I also created command shortcuts for things like new key generation and allowed the user to copy secrets to the clipboard for a set duration of time, which would protect the user from accidently pasting sensitive information elsewhere. Furthermore, this program can be given a text file list of accounts on servers and automatically generate and re-assign passwords to those accounts in Vault.

Available Commands Within This Program

Inputing help will display the available commands.

TARGET is the end of the vault file path (webserver1.com for example)

KEY is the key stored in vault. This program allows you to input the key as either account:user or just user

  • engine -> displays all of the directories under the inputed secrets engine (sysadmin/, desktop_support/, etc.)
    • Also used to switch between secrets engines.
  • -c TARGET KEY -> copies the key value for a given target for 45 seconds. (-c webserver1.com account:student will copy the password for student on cannoli)
  • In Progress -c -f FILENAME -> copies the key values for the keys within a .txt file. This is useful for changing passwords after the put -f FILENAME command has generated new ones and recorded them in vault.
  • TARGET KEY -> just prints the key value to the terminal without copying.
  • list PATH -> equivalent to vault kv list PATH.
  • get TARGET -> equivalent to vault kv get PATH but you can just use the end of the path instead of typing out the whole thing. It will display the full path as well as the keys.
  • prev -> copies your previous input to the clipboard so that you can re-enter it.
  • put TARGET KEY NEW_VALUE(or random) -> replaces a value for a given key/account. If the new value inputed is random, then a random 32-byte hex number will be generated and used as the new value.
  • put -f FILENAME -> given a list of targets and keys within a .txt file, this command will interate through each line and assign random 32-byte hex numbers to each key value. The content of the .txt file should be formatted like so: 
      TARGET KEY
  • random -> uses the vault api to generate and print out a random 32-byte hex number. Precede this with -c to copy that number to the clipboard.

You can also type in all other vault commands available, just without vault:

For example, you can type kv list sysadmin/ which would be equivalent to executing vault kv list sysadmin outside of this program.

Auto-Complete Feature

This program contains an auto-complete feature that will fill in your input if you did not type it all the way or if it was spelled incorrectly. For example, if you wanted to copy the password for the student account on webserver1.com and you just typed in -c cann stud the auto-complete feature will be able to complete the input for you and send the correct command to the vault server.

Single Command Execution With Command-Line Arguments

You can use this program with command line arguments for executing single commands. You just need to export the vault address once before using the program and run the binary with your username, password, and command as command line flags:

$ export VAULT_ADDR=https://myserver.com $ ./vaultplugin user password secrets_engine command

Ex: $ ./vaultplugin grant grantpassword sysadmin -c cannnoli student

Alternatively, you can login to vault before using the program by executing the command:

$ vault login -method=userpass username=user password=pass

Then you can run the program with:

$ ./vaultplugin none none sysadmin -c cannnoli student

If this method is chosen, vault API calls will not work, but all CLI vault commands will still function correctly.

The program will terminate upon the completion of the command.

Copying To The Clipbard For A Set Duration

Utilizes imported clipbard program from here

Import this program if binary will be recompiled.

Platforms:

  • OSX
  • Windows 7 or later
  • Linux, Unix (requires ‘xclip’ or ‘xsel’ command to be installed)

Generating Random Numbers using API

Method Path
POST /sys/tools/random(/:bytes)

Parameters

  • bytes (int: 32) - Specifies the number of bytes to return. This value can be specified either in the request body, or as a part of the URL.
  • format (string: "base64) - Specifies the output encoding. Valid options are hex or base64

Payload:

{
  "format": "hex"
}

Request:

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/tools/random/32

Sample Response:

{
  "data": {
    "random_bytes": "dGhlIHF1aWNrIGJyb3duIGZveAo="
  }
}

Project Repo: Contact Me

Image source: www.hashicorp.com

Top