Tuesday, April 15, 2025

How twtech through UI Creates: Users, Policies, Groups, Secrets, Login Credentials & Store on Hashicorp Vualt.

To create users, policies, groups, and secrets in HashiCorp Vault using the UI, here's a step-by-step guide:

 1. Login to Vault UI

  • Open your browser and navigate to your Vault UI (usually http://<vault-address>:8200).
  • Login using your root token or an auth method like username/password, GitHub, LDAP, etc.

2. Enable & Create Users (Userpass Auth Method)

a. Enable userpass Auth Method

  • Go to Access > Auth Methods.
  • Click Enable new method.
  • Choose Userpass from the list.
  • Set a path (or leave it as userpass/) and click Enable Method.

b. Create a User

  • After enabling, click into the Userpass method.
  • Click Create User.
  • Enter:
    • Username
    • Password
    • Policies (assign existing policies)
  • Click Create User.

3. Create Policies

  • Go to Access > Policies.
  • Click Create Policy.
  • Enter:
    • Name of the policy.
    • Policy Code using HCL or JSON (this defines access permissions).
  • Example HCL policy to allow read/write to a secret path:
 
path "secret/data/*" {
      capabilities = ["create", "read", "update", "delete", "list"]
}

path "sys/*" {

    capabilities = ["create", "read", "update", "delete", "list"]
}

path "secret/data/engineer-foncha" { 

   capabilities = ["create", "read", "update", "delete", "list"]

 }

path "secret/data/engineer-patpat" {

   capabilities = ["read"]

 }

  • Click Create Policy.

 4. Create Groups (For External Identity Providers like LDAP, OIDC)

  • Go to Access > Groups.
  • Click Create Group.
  • Provide:
    • Group Name
    • Type Internal (custom-users) or External (cloudbase,gitHub,…)
    • Assign Policies
    • Add Group Members (for internal groups)
  • Click Create Group.

5. Enable Secrets Engine

  • Go to Secrets > Secrets Engines.
  • Click Enable new engine.
  • Select the secret engine type (e.g., KV - Key/Value v2).
  • Set a mount path (e.g., secret/, twtech-secrets ) and click Enable Engine.

6. Store Credentials in KV Secrets Engine 

  • Go to Secrets > secret/ (or your custom mount path).
  • Click Create Secret.
  • Enter:
    • Secret path (e.g., twtech-secrets/credentials)
    • Key/Value pairs (e.g., username, password)
  • Click Save.

7. Access the Vault server, (CLI) to create passwords for users (engineer-foncha, engineer-patpat)

# Set up the environmental variables to access the CLI, & refresh twtech-Vault server.

echo "export VAULT_ADDR='https:// 127.0.0.1:8200:8200'" >> ~/.bashrc

source ~/.bashrc

#Set up  environmental variable for the vault token:

 export VAULT_TOKEN="twtech-root-token"

# Set up the password for the accounts.

vault write auth/userpass/users/engineer-foncha password="twtech123"

twtech-Test Access

  • Login with the new user credentials ( engineer-foncha)  and verify that engineer-foncha can only access what is allowed by the assigned policies.

Addendum:

twtech also create a log tracking file:  (/var/log/vault_audit.json). This tracks activities of all users accessing the vault. This includes, what users have done, what they tried to do by were denied access, their IPaddresses…. and much more.

Project:
  • Login using your root token or an auth method like username/password, GitHub, LDAP, etc.

Click on create secret:(Secret Engines)

Create the path to secrets for twtech Webserver-Team


Verify all Secrets created by : (CLI & GUI)

Create twtech-polices to define tasks that groups and users in the groups can perform.

Add ACL Policies ( these can be uploaded as files or written)

How twtech assigns Permissions to  twtech-webserver Team.

Verify the Created  & existing default polices.

Create group authentication methods:


Create twtech-groups.

Choose type (custom base like twtech = internal or cloud base like aws, azure, gcp, github = external)


Verify twtech-groups created and existing groups:

Enable the authentication methods. (userpass auth methods is needed to create users)

We want to create username (entities)

twtech Selected choice  of auth methods for this project: Enable an Authentication Method


verify the created and exiting auth methods

Create the twtech-user accounts (entities)


Create aliases (name of user or entities ). Multiple accounts can be created here for single sign-ons



Aliases:

NB:

Here, twtech-user (engineer-foncha) is inheriting the twtech-new-policy (assigned to twtech-admin-groups)

Assign group(twtech-admin-group) with twtech-users 

Go to members: edit (assign member to group).


Assign engineer-foncha twtech-admin-group

Select member entity IDs and assign them to teams created:


How twtech adds passwords  twtech-users.  engineer-foncha

NB:

UI does not support creating password for twtech-users. twtech-Users passwords must be created using CLI.

To create passwords for user, twtech requires the CLI:

Set up the environmental variables to access the CLI with hashicorp vault PubIPaddress, & refresh server.

echo "export VAULT_ADDR='https:// 127.0.0.1:8200:8200'" >> ~/.bashrc

source ~/.bashrc

Set up  environmental variable for the vault token:

 export VAULT_TOKEN="twtech-root-token"

Set up the password for the accounts.

vault write auth/userpass/users/engineer-foncha password="twtech123"

Access the GUI with the created accounts and passwords, and verify that he can only access what is allowed by their assigned policies.

Project Successfully accomplished.

twtech-insights:

Based on the twtech-new-policies that is attached to twtech-admin-group, for which engineer-foncha is a member of, he can also create, read, update, delete and list components within the Hashicorp Vault. 

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Kubernetes Clusters | Upstream Vs Downstream.

  The terms "upstream" and "downstream" in the context of Kubernetes clusters often refer to the direction of code fl...