Managing Tencent Cloud Secrets Engine and Authentication Method in HashiCorp Vault

Tencent Cloud has announced new HashiCorp Vault integrations. See how they are implemented in this guest post.

This blog is a guest post from Tencent Press Center, where it was originally posted.

Following the integration of HashiCorp Nomad and HashiCorp Consul on Tencent Cloud, we are excited to announce our integration with HashiCorp Vault today as we aim to provide Tencent Cloud’s customers with a verified and seamless user experience.

HashiCorp Vault is a comprehensive secrets and encryption management solution which enables teams to securely store and tightly control access to tokens, passwords, certificates, and encryption keys for protecting machines and applications. It is widely used across many industries — including stock exchanges, large financial organizations, and hotel chains — to provide security in the cloud operating model.The key use cases are spread across secrets management, encryption as a service and advanced data protection.

Tencent Cloud’s integration with HashiCorp Vault comprises two parts – the Tencent Cloud Secrets Engine and Tencent Cloud Authentication Method.

Secrets engines are components that store, generate, or encrypt data. They are provided with some set of data, they take some action on that data, and they return a result. Auth methods are the components in Vault that perform authentication and are responsible for assigning identity and a set of policies to a user. In all cases, Vault will enforce authentication as part of the request processing.

Tencent Cloud CAM credentials can be used to authenticate systems and applications, which resolves the need to distribute initial access credentials. Moreover, Vault can dynamically generate and configure policies and role assignments. This provides users and applications outside of the cloud an easy method for generating flexible time- and permission-bound access into Tencent Cloud APIs.

Using the Vault Tencent Cloud secrets engines plugin and auth methods plugin, customers can leverage all of the Vault features to automate their secrets management.

Now let us guide you through how to create the secrets and auth!

»Tencent Cloud Secrets Engine

The Tencent Cloud Secrets Engine dynamically generates a Tencent Cloud access secret ID/key or tokens based on CAM policies, or Tencent Cloud STS credentials based on CAM roles. This generally makes working with Tencent Cloud easier, since it does not involve clicking in the web UI. The Tencent Cloud access secret ID/key or tokens are time-based and are automatically revoked when the Vault lease expires. STS credentials are short-lived, non-renewable, and expire on their own.

Before you install the plugins, we assume that you have already installed Vault and have a basic understanding of how Vault works. In case you need any help on this, you can always visit Vault Tutorials to start getting familiar with it.

First, build the secrets engine into a plugin using Go.

$ go build -o vault/plugins/vault-plugin-secrets-tencentcloud ./cmd/vault-plugin-secrets-tencentcloud/main.go

Then copy the plugin binary into a location of your choice; this directory must be specified as the plugin_directory in the Vault configuration file.

plugin_directory = "vault/plugins"

Start a Vault server with this configuration file.

$ vault server -config=vault/server.hcl

Once the server is started, register the plugin in the Vault server's plugin catalog.

$ SHA256=$(shasum -a 256 vault/plugins/vault-plugin-secrets-tencentcloud | cut -d ' ' -f1)
$ vault plugin register -sha256=$SHA256 secret vault-plugin-secrets-tencentcloud
$ vault plugin info secret vault-plugin-secrets-tencentcloud
 

You can now enable the Tencent Cloud Secrets plugin.

$ vault secrets enable -path=tencentcloud vault-plugin-secrets-tencentcloud
Success! Enabled the vault-plugin-secrets-tencentcloud secrets engine at: tencentcloud/

When a secrets engine is enabled, a random UUID is generated. This becomes the data root for that engine. Whenever that engine writes to the physical storage layer, it is prefixed with that UUID folder. Since the Vault storage layer doesn't support relative access (such as ../), this makes it impossible for an enabled secrets engine to access other data.

This is an important security feature in Vault — even a malicious engine cannot access the data from any other engine.

»Tencent Cloud Authorization Method

The Tencent Cloud Authorization Method (Auth Method) provides an automated mechanism to retrieve a Vault token for Tencent Cloud entities. Unlike most Vault auth methods, this method does not require manual first-deploying, or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc), by operators.

The Tencent Cloud STS API includes a method, sts:GetCallerIdentity, which allows you to validate the identity of a client. The client signs a GetCallerIdentity query using the Tencent Cloud Signature Algorithm v3. It then submits two pieces of information to the Vault server to recreate a valid signed request: the request URL, and the request headers. The Vault server then reconstructs the query and forwards it on to the Tencent Cloud STS service and validates the result back.

Each signed Tencent Cloud request includes the current timestamp and a nonce to mitigate the risk of replay attacks.

First, build the auth method into a plugin using Go

$ go build -o vault/plugins/vault-plugin-auth-tencentcloud ./cmd/vault-plugin-auth-tencentcloud/main.go

Then copy the plugin binary into a location of your choice; this directory must be specified as the plugin_directory in the Vault configuration file.

plugin_directory = "vault/plugins"

Now start a Vault server with this configuration file.

$ vault server -config=vault/server.hcl

Once the server is started, register the plugin in the Vault server's plugin catalog.

$ SHA256=$(shasum -a 256 vault/plugins/vault-plugin-auth-tencentcloud | cut -d ' ' -f1)
$ vault plugin register -sha256=$SHA256 auth vault-plugin-auth-tencentcloud
$ vault plugin info auth vault-plugin-auth-tencentcloud

You can now enable the Tencent Cloud Auth plugin.

$ vault auth enable -path=tencentcloud vault-plugin-auth-tencentcloud
Success! Enabled vault-plugin-auth-tencentcloud auth method at: tencentcloud/

»More Efficient and Secure Access Management

Tencent Cloud Secrets Engine and Authentication Method in HashiCorp Vault leverage trusted sources of identity to keep secrets and application data secured with one centralized, audited workflow for tightly controlling access to secrets across applications, systems, and infrastructure while encrypting data both in flight and at rest.

Now, users have the power they need to fully manage your Tencent Cloud secrets and auth with HashiCorp Vault.

View the API document for Vault Tencent Cloud Authentication Method.

View the API document for Vault Tencent Cloud Secrets Engine.

Sign up for the latest HashiCorp news

By submitting this form, you acknowledge and agree that HashiCorp will process your personal information in accordance with the Privacy Policy.