Add example to create local user in vault

This commit will provide an example to create local user and the policy to provide access vault secret path
rackerlabs · Mar 29, 2024 · 93bd384 · 93bd384
1 parent bd1139c
commit 93bd384
Showing 1 changed file with 67 additions and 0 deletions.
diff --git a/docs/vault.md b/docs/vault.md
@@ -187,4 +187,71 @@ vault kv put -mount=osh/keystone keystone-credential-keys  password=$(< /dev/ura
 
 ---
 
+## Example to create local users in Vault and provide access to the secret path
+
+- Login with root token:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- sh
+vault login
+```
+
+- Creating keystone user and the required policy:
+
+```
+vault policy write keystone - <<EOF
+path "osh/keystone/*" {
+   capabilities = ["create", "read", "update", "patch", "delete", "list"]
+}
+EOF
+exit
+```
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault write auth/userpass/users/keystone password=8EaQwtdt policies=keystone
+```
+
+- Tune token duration:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault write sys/auth/userpass/tune default_lease_ttl=8h max_lease_ttl=720h
+```
+
+### Validation
+
+- Login to the vault using `keystone` user and try accessing secret path to which it has access:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=keystone
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/keystone
+```
+
+- Accessing to other secret path will fail:
+
+``` shell
+# kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/keystone
+Keys
+----
+keystone-admin
+keystone-db-password
+keystone-rabbitmq-password
+
+# kubectl exec --stdin=true --tty=true vault-0 -n vault --  \
+    vault kv list osh/glance
+Error making API request.
+
+URL: GET https://127.0.0.1:8200/v1/sys/internal/ui/mounts/osh/glance
+Code: 403. Errors:
+
+* preflight capability check returned 403, please ensure client's policies grant access to path "osh/glance/"
+```
+
+---
+
 Once the secrets are created in Vault, we can use [vault-secrets-operator](https://github.com/rackerlabs/genestack/blob/main/docs/vault-secrets-operator.md) to populate the Kubernetes secret resources in Kubernetes cluster.