-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #23 from vinod827/hashitalks2025-zerotrust
HashiTalks 2025 - Zero Trust Security using Hashi Vault and AWS IAM
- Loading branch information
Showing
5 changed files
with
130 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| FROM amazon/aws-cli:latest | ||
|
|
||
| # Install jq | ||
| RUN yum update -y && \ | ||
| yum install -y jq && \ | ||
| yum clean all |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| path "aws/creds/dev-role" { | ||
| capabilities = ["read"] | ||
| } | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| # Enable AWS secrets engine | ||
| path "sys/mounts/aws" { | ||
| capabilities = ["create", "update"] | ||
| } | ||
|
|
||
| # Configure AWS secrets engine with root credentials | ||
| path "aws/config/root" { | ||
| capabilities = ["create", "update"] | ||
| data = { | ||
| access_key = "<ACCESS_KEY>" | ||
| secret_key = "<SECRET_ACCESS_KEY>" | ||
| region = "us-east-1" | ||
| } | ||
| } | ||
|
|
||
| # Create a Vault AWS role that generates IAM user credentials | ||
| path "aws/roles/dev-role" { | ||
| capabilities = ["create", "update"] | ||
| data = { | ||
| credential_type = "iam_user" | ||
| policy_arn = "<IAM Policy ARN>" | ||
| max_ttl = "24h" | ||
| ttl = "1h" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: vault-s3-uploader-config | ||
| namespace: vault | ||
| data: | ||
| VAULT_ADDR: "http://vault.vault.svc.cluster.local:8200" | ||
| VAULT_ROLE: "dev-role" | ||
| S3_BUCKET: "hashitalks2025-zerotrust" | ||
| S3_REGION: "us-east-1" | ||
| --- | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: vault-s3-uploader | ||
| namespace: vault | ||
| labels: | ||
| app: vault-s3-uploader | ||
| spec: | ||
| serviceAccountName: vault-sa # Bind to the service account | ||
| imagePullSecrets: | ||
| - name: ecr-secret # Reference the secret for pulling ECR images | ||
| containers: | ||
| - name: s3-uploader | ||
| image: 730335385934.dkr.ecr.us-east-1.amazonaws.com/hashitalks2025:v1.0.0 | ||
| resources: | ||
| limits: | ||
| memory: "128Mi" | ||
| cpu: "500m" | ||
| requests: | ||
| memory: "64Mi" | ||
| cpu: "250m" | ||
| env: | ||
| - name: VAULT_ADDR | ||
| valueFrom: | ||
| configMapKeyRef: | ||
| name: vault-s3-uploader-config | ||
| key: VAULT_ADDR | ||
| - name: VAULT_ROLE | ||
| valueFrom: | ||
| configMapKeyRef: | ||
| name: vault-s3-uploader-config | ||
| key: VAULT_ROLE | ||
| - name: S3_BUCKET | ||
| valueFrom: | ||
| configMapKeyRef: | ||
| name: vault-s3-uploader-config | ||
| key: S3_BUCKET | ||
| command: ["/bin/sh", "-c"] | ||
| args: | ||
| - | | ||
| echo "Retrieving AWS credentials from Vault..." | ||
| VAULT_PATH="aws/creds/${VAULT_ROLE}" | ||
| # Get JWT token from Kubernetes service account | ||
| K8S_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) | ||
| # Authenticate with Vault using Kubernetes auth | ||
| VAULT_RESPONSE=$(curl -s --request POST --data "{\"jwt\": \"${K8S_TOKEN}\", \"role\": \"${VAULT_ROLE}\"}" ${VAULT_ADDR}/v1/auth/kubernetes/login) | ||
| VAULT_TOKEN=$(echo "$VAULT_RESPONSE" | jq -r '.auth.client_token') | ||
| # Get temporary AWS credentials (IAM User) | ||
| CREDS=$(curl -s --header "X-Vault-Token: ${VAULT_TOKEN}" ${VAULT_ADDR}/v1/${VAULT_PATH}) | ||
| AWS_ACCESS_KEY_ID=$(echo "$CREDS" | jq -r '.data.access_key') | ||
| AWS_SECRET_ACCESS_KEY=$(echo "$CREDS" | jq -r '.data.secret_key') | ||
| if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then | ||
| echo "Failed to retrieve AWS credentials from Vault. Exiting..." | ||
| exit 1 | ||
| fi | ||
| # Export credentials for AWS CLI | ||
| export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY | ||
| echo "AWS credentials retrieved successfully." | ||
| sleep 4 | ||
| # Creating a dummy file | ||
| echo "Hello everyone! Welcome to the HashiTalks 2025" > hashitalks.txt | ||
| aws s3 cp hashitalks.txt s3://$S3_BUCKET/ | ||
| echo "Upload completed!" | ||
| volumeMounts: | ||
| - name: sa-token | ||
| mountPath: /var/run/secrets/kubernetes.io/serviceaccount | ||
| readOnly: true | ||
| volumes: | ||
| - name: sa-token | ||
| projected: | ||
| sources: | ||
| - serviceAccountToken: | ||
| path: token | ||
| expirationSeconds: 600 | ||
| audience: vault | ||
| restartPolicy: Never |