ARTIFACTORY: How to Set Up Hashicorp Vault with Artifactory

Sam Rosenstein
2021-10-13 14:53

Note: For this article we will install Vault on the same machine as Artifactory. We will also run the server in development mode. For production environments, please refer to the Vault documentation.

Install Vault via the link here.

Start the Vault server

$ vault server -dev

This will display the seal key and root token. Save these valuesUnseal Key: WevOrb1cF….
Root Token: s.CC0yx8lLd… 

Open a new terminal session

$ export VAULT_ADDR='http://127.0.0.1:8200'

Set the VAULT_TOKEN env variable to the Root Token value displayed above. It will look something like:

$ export VAULT_TOKEN="<Root Token>"

Now run vault status to see details about the running server

$ vault status

Generate GPG Keys

The next step is to set the secrets in the vault. We need a gpg_pub_key, gpg_priv_key and passphrase. First, we will create the GPG keys.

$ gpg --full-generate-key
$ gpg --list-secret-keys --keyid-format LONG
> gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u
/Users/samr/.gnupg/pubring.kbx
------------------------------
sec rsa2048/590EFBF7A1A373CC 2021-06-29 [SC]

$ gpg --output private.key --armor --export-secret-keys 590EFBF7A1A373CC
$ gpg --output public.key --armor --export 590EFBF7A1A373CC

 

Now we have two keys, private.key and public.key as well as a passphrase. Let’s save them as secrets in the vault. 

  1. secret/gpg_pub_key
    • Value is called pub_key
  2. secret/gpg_priv_key, 
    • Value is called priv_key
  3. secret/passphrase
    • Value is called pp

Navigate to the folder where the keys are located on run the following commands:

$ vault kv put secret/gpg_pub_key pub_key=@public.key
$ vault kv put secret/gpg_priv_key priv_key=@private.key
$ vault kv put secret/passphrase pp=<Passphrase>

Ensure that the values were properly created. The following commands should display the keys and passphrase:

$ vault kv get secret/gpg_pub_key
$ vault kv get secret/gpg_priv_key
$ vault kv get secret/passphrase

Configure the Approle Authentication

https://www.vaultproject.io/docs/auth/approle

Create a policy for the Artifactory AppRole

$ tee test-policy.hcl << EOF
path "secret/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
EOF
$ vault policy write test-policy test-policy.hcl

View the new policy:

$ vault policy read test-policy

Create the AppRole via the Vault API

See the tutorial here: https://www.vaultproject.io/docs/auth/approle#via-the-api-1

Step 1: Create a token to use for authentication in the API

$ vault token create
> Key Value
--- -----
token s.SjsIRo41P8YSHGHyr4pL7mug
token_accessor rMj2ug7vBN1g6OXIkLZK8rJl
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]

Step 2: Enable AppRole auth:

$ curl \
--header "X-Vault-Token: s.SjsIRo41P8YSHGHyr4pL7mug" \
--request POST \
--data '{"type": "approle"}' \
http://127.0.0.1:8200/v1/sys/auth/approle

Step 3: Create an AppRole with the desired policy (in this case ‘test-policy)

Create an AppRole named test-role

$ curl \
--header "X-Vault-Token: s.SjsIRo41P8YSHGHyr4pL7mug" \
--request POST \
--data '{"policies": "test-policy"}' \
http://127.0.0.1:8200/v1/auth/approle/role/test-role

Step 4: Fetch the Identifier of the Role

* Save this value to use as RoleID in the connection settings in Artifactory

$ curl \
--header "X-Vault-Token: s.SjsIRo41P8YSHGHyr4pL7mug" \
http://127.0.0.1:8200/v1/auth/approle/role/test-role/role-id
> {"role_id":"76237df0-463e-fad3-d1cb-eb292e5fed20"}

Step 5: Create a Secret Identifier Under the Role

* Save this value to use as SecretID in the connection settings in Artifactory

$ curl \
--header "X-Vault-Token: s.SjsIRo41P8YSHGHyr4pL7mug" \
--request POST \
http://127.0.0.1:8200/v1/auth/approle/role/test-role/secret-id
"data":{"secret_id":"151b7163-8d49-833e-5398-52d815b7ddfc","secret_id_accessor":"f981c017-d8fb-fac1-a6c0-acf766e594f9","secret_id_ttl":0}

Verify the AppRole has the correct setting with the following API call:

$ curl \
--header "X-Vault-Token:" \
http://127.0.0.1:8200/v1/auth/approle/role/test-role

 

Configure with Artifactory

Vault Settings

Baseurl: http://127.0.0.1:8200

RoleID: The value highlighted in red above

SecretID: The value highlighted in red above

Troubleshooting Steps

When trying the save the connection with the above settings, I got this error:

TLS Error

[Error] [jffe ] [ERROR] [471aeefed3e7deaa] [                              ] [main                ] – http request failed with message – Verification of the connection configurations is not allowed when TLS is not enabled in Access and the platform

 

[Solution] Enable TLS for BOTH Artifactory and Access

Enable TLS for Artifactory by editing the system.yaml to include the following:

security:
tls: true

Enable TLS for Access by adding the TLS setting (see the docs):

$ vim /artifactory/var/etc/access/access.config.lastest.yml file

Add the following line:

security:
tls: true

Then changing the file name by:

$ cp access.config.latest.yml access.config.import.yml
$ service artifactory restart

HTTPS Error

Getting this error in the UI when pressing the ‘Save’ button:

[Error] "Client sent an HTTP request to an HTTPS server" 

[Solution] In order to proceed, need to use https://artifactory:port

 

Environment Variables Error

[Error] root@machine:/home/samr# vault auth enable approle

Error enabling approle auth: Post "https://127.0.0.1:8200/v1/sys/auth/approle": http: server gave HTTP response to HTTPS client

[Solution] The VAULT_ADDR and VAULT_TOKEN env variables weren’t set