Hashicorp Vault + Turbot Steampipe
Vault is an industry-leading Secrets Management & Data Protection solution from Hashicorp.
Steampipe is an open source CLI for querying cloud APIs using SQL from Turbot
Getting Started
Installation
Download and install the latest Vault plugin:
steampipe plugin install theapsgroup/vaultPrerequisites
- Vault Server
- Vault API Token
Configuration
The preferred option is to use Environment Variables for configuration as the Vault Token should be rotated frequently, however you can configure in the ~./steampipe/config/vault.spc (this will take precedence).
Environment Variables (default from Hashicorp Vault):
VAULT_ADDRfor the server address (ex:https://vault.mycorp.com/)VAULT_TOKENfor the API token (ex:s.f7Ea3C3ojOYE0GRLzmhSGNkE)
Configuration File:
connection "vault" { plugin = "theapsgroup/vault" address = "https://vault.mycorp.com/" auth_type = "token" token = "s.f7Ea3C3ojOYE0GRLzmhSGNkE"}Authentication
Vault supports multiple authentication backends, currently token and AWS IAM are supported. Note that in line with the Vault cli behavior, if a vault token is supplied, that will be used instead of your configured authentication method.
Token
connection "vault" { plugin = "theapsgroup/vault" address = "https://vault.mycorp.com/" auth_type = "token" token = "sometoken"}AWS
connection "vault" { plugin = "theapsgroup/vault" address = "https://vault.mycorp.com/" auth_type = "aws" aws_role = "steampipe-test-role" aws_provider = "aws"}aws_role is the name of the role as configured in the vault AWS authentication backend.
aws_provider is the name of the access engine in vault
The vault plugin will resolve the AWS credentials in the normal AWS SDK Credentials chain order.
Testing
A quick test can be performed from your terminal with:
steampipe query "select * from vault_engine"Tables
The following tables are available for querying, follow the links for more information.