3

This seems like a pretty simple use case, but it would depend on some pretty recently added functionality which I might not understand yet:

A python script gets populated by configuration management on a few monitoring servers within a specific IP range.

def main():
    args = get_args()
    user, password = args.redis_credentials
    ... store creds in a local file owned by root, do stuff with this...

It should change to this:

def main():
    args = get_args()
    vault_token = args.approle_token_for_vault
    user, password = get_creds_from_vault(token=vault_token, path="/secrets/redis/redis_credentials")
    ... store creds in a local file owned by root, do stuff with this...

This script needs a user/pass auth to a datastore.

Let's say that anything passed to the script goes into a file (e.g. an access token), shared on a bunch of machines. Provisioning is unpredictable, except for a specific subnet or IP address range.

Anyway, can I use Vault to restrict access to these shared credentials based on some kind of network identifier like MAC address or IP address?

Yes, I know, IP address restrictions are a "defense in depth" approach, and IP addresses can be spoofed. But the idea is to quickly make an incremental improvement to the existing security situation.

Nathan Basanese
  • 640
  • 1
  • 9
  • 20
  • // , Since this use case refers largely to simple automation, feel free to migrate to SO if appropriate – Nathan Basanese May 03 '18 at 18:02
  • 2
    Because you are asking about a specific function of a commercial product, I think it is better asked of the vendor. – schroeder May 03 '18 at 18:54
  • // , This is an open source product, to which I've already contributed code. But thanks for the comment. I've also reached out to them, in addition to the wider open source community for this – Nathan Basanese May 04 '18 at 17:34
  • // , "Vault is an open source tool that can be deployed to any environment, and does not require any special hardware." Please check https://www.vaultproject.io/intro/vs/kms.html for more info – Nathan Basanese May 04 '18 at 21:50
  • 1
    "Open source" does NOT mean non-commercial. Free as in beer, free as in speech. https://www.hashicorp.com/products/vault – schroeder May 05 '18 at 16:27
  • 1
    Definitely FOSS: https://github.com/hashicorp/vault/blob/master/LICENSE - there is also a commercial offering adding on to the open source product. – Ryan Long Aug 02 '18 at 04:02
  • // , Let me guess schroeder thinks RedHat is the devil, too? – Nathan Basanese Mar 23 '20 at 22:12

1 Answers1

1

It turns out that, as of 0.6.4 of the open source version of HashiCorp Vault, I can restrict access to AppRoles based on CIDR ranges, although I couldn't do this with the other authentication methods, as it happened.

Later versions of HashiCorp Vault have added the CIDR range binding capability to more and more authentication methods. HashiCorp added the ability to not only bind Vault Auth methods to CIDR ranges, but also allows binding any Vault Tokens produced to configurable CIDR ranges.

When the feature was enabled:

https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#0103-june-20th-2018

Where the magic happens:

https://github.com/hashicorp/vault/blob/a54603039d5c38fcc2c9468f3beb29e1c1c2aca0/helper/cidrutil/cidr.go

What is a CIDR?

CIDR (Classless Inter-Domain Routing, sometimes called supernetting) is a way to allow more flexible allocation of Internet Protocol (IP) addresses than was possible with the original system of IP address classes.
A CIDR network address looks like this under IPv4: 192.30.250.00/18
Because it's just a bitwise way to specify IP address ranges, 192.30.250.00/18 would correspond to the IP address range of 192.30.192.0 to 192.30.255.255.

Links about CIDRs

https://www.ipaddressguide.com/cidr
https://searchnetworking.techtarget.com/definition/CIDR

forest
  • 64,616
  • 20
  • 206
  • 257
Nathan Basanese
  • 640
  • 1
  • 9
  • 20