Hashicorp-vault userpass authentication

0
votes

I am trying to use Hashicorp vault for storing secrets for service accounts username and passwords --- I am following this link https://www.vaultproject.io/docs/auth/userpass.html to create the user name and password.

My question here is that here as per this example I am specifying the password "foo" when i curl this from any ec2 instances, as part of automations, so we want to automated this and codes will come from git: curl \ --request POST \ --data '{"password": "foo"}' \ http://10.10.218.10:8200/v1/auth/userpass/login/mitchellh

Our policy is that we should NOT store any password in git... How do I run this curl and get authenticated to vault without specify the password for the user? is this possible?

1
amazon-ec2hashicorp-vault

1 Answers

1
votes

Why you don't want to use aws-auth-method?

Also, if you are sure to want to use password authentication I think you can do something like this:

  • Generate user/password in the Vault, store user passwords in the Vault and set a policy to allow reading specific user password for specific ec2-instance (EC2 auth method);
  • In the ec2-instance run consul-template which will authenticate in the Vault with an ec2-instance role;
  • This consul-template will generate curl command with specific user name and password
  • Use this command