MAAS with Vault: a step-by-step guide
Errors or typos? Topics missing? Hard to read? Let us know!
Note: Vault is compatible with MAAS version 3.3 and above. Please upgrade if you're using an older version.
To ensure seamless integration between MAAS and Vault, you'll first need to obtain a role_id and wrapped_token through Vault's CLI. For detailed guidance, check Hashicorp Vault's tutorial^.
Here's an illustrative example on how to set up this integration using the vault CLI:
approle engine$ vault auth list
If approle/ isn't mounted, enable it:
$ vault auth enable approle
$ vault secrets enable -path $SECRETS_MOUNT kv-v2
path "$SECRETS_MOUNT/metadata/$SECRETS_PATH/" {
capabilities = ["list"]
}
path "$SECRETS_MOUNT/metadata/$SECRETS_PATH/*" {
capabilities = ["read", "update", "delete", "list"]
}
path "$SECRETS_MOUNT/data/${SECRETS_PATH}/*" {
capabilities = ["read", "create", "update", "delete"]
}
$ vault policy write $MAAS_POLICY $POLICY_FILE
$ vault write auth/approle/role/$ROLE_NAME \
policies=$MAAS_POLICY token_ttl=5m
Fetch the role ID:
$ vault read auth/approle/role/$ROLE_NAME/role-id
$ vault write -wrap-ttl=5m auth/approle/role/$ROLE_NAME/secret-id
Post-setup, you can integrate MAAS with Vault using:
sudo maas config-vault configure $URL $APPROLE_ID $WRAPPED_TOKEN $SECRETS_PATH --mount $SECRET_MOUNT
Complete the integration by migrating the secrets:
$ sudo maas config-vault migrate
This guide provides you with a structured approach to get your MAAS-Vault integration up and running. Happy integrating!