Hashicorp Vault Setup Instructions

Patrick Russell
2021-09-27 15:38

Subject 

This article will go into further detail about installing and setting up Hashicorp Vault to use with JFrog Artifactory.

 

Affected Versions

 

These are the versions of Artifactory and Vault that were tested during the article's creation:

 

Hashicorp Vault 1.8.2

JFrog Artifactory 7.24.3

 

Resolution

 

1] Installing Vault

Installing and configuring Hashicorp Vault can be done from the terminal in a few commands. The following commands are based on the Hashicorp Vault Linux installation documentation

curl -fsSL https://apt.releases.hashicorp.com/gpg| sudo apt-key add -

sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com$(lsb_release -cs) main"

sudo apt-get update && sudo apt-get install vault

This installs the application, the "vault" command line interface should be available after the installation. Next, start the Vault application:
 

​​vault server -dev

In this article, "dev" mode is used. This will display the seal key and root token. Save these values, they will be used later:
 

Unseal Key: We[…]dXAI=

Root Token: s.C[…]b2Ja

In this article, the installation of Vault will be done on the same machine running Artifactory.

If the installation is done on another host, then you need to set the following URL to match the remote address. To get access to the Vault administration APIs, set a VAULT_TOKEN environment variable to the Root Token value printed earlier:
 

export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN="s.2WVfqFkeTLt3XBivcWuyX7lA"

2] Generate the GPG keys

We document how to create GPG keys on the wiki, but the GPG program's parameters need to be filed out in a specific way to work with Vault:

gpg --full-generate-key

# Select RSA
Please select what kind of key you want:

 (1) RSA and RSA (default)

#Use the default value: 2048
RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 2048

 # Select the default value for the expiration date: 0
Key is valid for? (0) <- Accept the default value
[...]
Is this correct? (y/N) y

# Enter a user ID, email, or comment. This is for tracking purposes and will not impact the resulting GPG keys

Real name: Example Joe
Email address: Ex.Joe@jfrog.com
Comment: Example GPG keys

Make sure to set a password for the key pair:

After the keys are created, export them:
 

gpg --list-secret-keys --keyid-format LONG

/Users/jfrog/.gnupg/secring.gpg
------------------------------------

sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid                          jfrog 
ssb   4096R/42B317FD4BA89E7A 2016-03-10

# Export the private and public keys to files
gpg --output private.key --armor --export-secret-keys 8F76A58562F73776

gpg --output public.key --armor --export 8F76A58562F73776 

3] Add the keys to Vault

We need to add these keys to the Vault to authenticate with them. The last two gpg commands should have produced a "public.key / private.key" pair of files, and the vault command line interface accepts these files as inputs:
 

vault kv put secret/gpg_pub_key pub_key=@public.key 

vault kv put secret/gpg_priv_key priv_key=@private.key 

vault kv put secret/passphrase pp=Password1

Ensure that the values were properly created:

vault kv get secret/gpg_pub_key

vault kv get secret/gpg_priv_key

vault kv get secret/passphrase

4] Create an "AppRole" for Artifactory in Vault

Vault needs to know about the Artifactory application so Artifactory can authenticate against it. First, we need to create an AppRole file:
 

echo 'path "secret/*" {
 capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}' > artifactory-policy.hcl

Then load this file into Vault:

vault policy write artifactory-policy artifactory-policy.hcl

Using the Vault API, create the Artifactory AppRole policy. You need to generate an API Token to use Curl against the Vault server:

vault token create

> Key                  Value
---                  -----
token                s.SjsIRo41P8YSHGHyr4pL7mug
token_accessor       rMj2ug7vBN1g6OXIkLZK8rJl
[...]

Then use the token to create the AppRole and register Artifactory:
 

curl \
    --header "X-Vault-Token: s.SjsIRo41P8YSHGHyr4pL7mug" \
    --request POST \
    --data '{"type": "approle"}' \
    http://127.0.0.1:8200/v1/sys/auth/approle
 
curl \
    --header "X-Vault-Token: s.SjsIRo41P8YSHGHyr4pL7mug" \
    --request POST \
    --data '{"policies": "artifactory-policy"}' \
    http://127.0.0.1:8200/v1/auth/approle/role/artifactory-role

Finally, Artifactory needs the AppRole's role_id and secret_id items. These can be retrieved using curl and the Vault token: 

curl

    –header "X-Vault-Token: s.SjsIRo41P8YSHGHyr4pL7mug"

    http://127.0.0.1:8200/v1/auth/approle/role/test-role/role-id

{"role_id":"76237df0-463e-fad3-d1cb-eb292e5fed20"}

 

curl

    –header "X-Vault-Token: s.SjsIRo41P8YSHGHyr4pL7mug"

    –request POST

     http://127.0.0.1:8200/v1/auth/approle/role/test-role/secret-id

"data":{"secret_id":"151b7163-8d49-833e-5398-52d815b7ddfc","secret_id_accessor":"f981c017-d8fb-fac1-a6c0-acf766e594f9","secret_id_ttl":0}

 

5] Enable TLS in Artifactory

To work with Vault, you need to enable TLS on the Artifactory application. Details on how to do this are described here, an outline of the necessary steps can be found below:

A] Enable TLS for Access by adding the TLS setting:

#If the file does not exist, that is ok
vim $ART_HOME/etc/access/access.config.lastest.yml 

B] Add the following lines:

security:
  tls: true

C] Change the file name:

 cp access.config.latest.yml access.config.import.yml

D] Reboot Artifactory for the change to take effect:

 service artifactory restart

 

6] Enable Vault in Artifactory

 Artifactory needs to be configured with three items from Vault:
 

The Vault Base Url: http://127.0.0.1:8200

The AppRole ID: The value highlighted above

The Secret ID: The value highlighted above

– Secrets Engine Path: "secret", as was used above

 

 

The "Test Configuration" Button should pass, after you save the configurations Vault will be used to store sensitive GPG signing key information.