Skip to content

NAME

security-file-token-provider -- Generate Vault tokens for EdgeX services

SYNOPSIS

security-file-token-provider [-h--configDir \<configDir>] [-p|--profile \<name>]

EdgeX 3.0

The --confdir command line option is replaced by --configDir in EdgeX 3.0.

DESCRIPTION

security-file-token-provider generates per-service Vault tokens for EdgeX services so that they can make authenticated connections to Vault to retrieve application secrets. security-file-token-provider implements a generic secret seeding mechanism based on pre-created files and is designed for maximum portability. security-file-token-provider takes a configuration file that specifies the services for which tokens shall be generated and the Vault access policy that shall be applied to those tokens. security-file-token-provider assumes that there is some underlying protection mechanism that will be used to prevent EdgeX services from reading each other's tokens.

OPTIONS

-h, --help

: Display help text

-cd, --configDir \<configDir>

: Look in this directory for configuration.yaml instead.

-p, --profile \<name>

: Indicate configuration profile other than default

EdgeX 3.0

The -c, --confdir command line option is replaced by -cd, --configDir in EdgeX 3.0.

FILES

configuration.yaml

This file specifies the TCP/IP location of the Vault service and parameters used for Vault token generation.

SecretService:
  Scheme: "https"
  Server: "localhost"
  Port: 8200

TokenFileProvider:
  PrivilegedTokenPath: "/run/edgex/secrets/security-file-token-provider/secrets-token.json"
  ConfigFile: "token-config.json"
  OutputDir: "/run/edgex/secrets/"
  OutputFilename: "secrets-token.json"

secrets-token.json

This file contains a token used to authenticate to Vault. The filename is customizable via OutputFilename.

{
  "auth": {
    "client_token": "s.wOrq9dO9kzOcuvB06CMviJhZ"
  }
}

token-config.json

This configuration file tells security-file-token-provider which tokens to generate.

In order to avoid a directory full of .hcl files, this configuration file uses the JSON serialization of HCL, documented at https://github.com/hashicorp/hcl/blob/master/README.md.

Note that all paths are keys under the "path" object.

{
  "service-name": {
    "edgex_use_defaults": true,
    "custom_policy": {
      "path": {
        "secret/non/standard/location/*": {
          "capabilities": [ "list", "read" ]
        }
      }
    },
    "custom_token_parameters": { }
  }
}

When edgex-use-default is true (the default), the following is added to the policy specification for the auto-generated policy. The auto-generated policy is named edgex-secrets-XYZ where XYZ is service-name from the JSON key above. Thus, the final policy created for the token will be the union of the policy below (if using the default policy) plus the custom_policy defined above.

{
  "path": {
    "secret/edgex/service-name/*": {
      "capabilities": [ "create", "update", "delete", "list", "read" ]
    }
  }
}

When edgex-use-default is true (the default), the following is inserted (if not overridden) to the token parameters for the generated token. (See https://developer.hashicorp.com/vault/api-docs/auth/token#create-token.)

"display_name": token-service-name
"no_parent":    true
"policies":     [ "edgex-service-service-name" ]

Note that display_name is set by vault to be "token-" + the specified display name. This is hard-coded in Vault from versions 0.6 to 1.2.3 and cannot be changed.

Additionally, a meta property, edgex-service-name is set to service-name. The edgex-service-name property may be used by clients to infer the location in the secret store where service-specific secrets are held.

"meta": {
  "edgex-service-name": service-name
}

{OutputDir}/{service-name}/{OutputFilename}

For example: /run/edgex/secrets/edgex-security-proxy-setup/secrets-token.json

For each "service-name" in {ConfigFile}, a matching directory is created under {OutputDir} and the corresponding Vault token is stored as {OutputFilename}. This file contains the authorization token generated to allow the indicated EdgeX service to retrieve its secrets.

PREREQUISITES

PrivilegedTokenPath points to a non-expired Vault token that the security-file-token-provider will use to install policies and create per-service tokens. It will create policies with the naming convention "edgex-service-service-name" where service-name comes from JSON keys in the configuration file and the Vault policy will be configured to allow creation and modification of policies using this naming convention. This token must have the following policy (edgex-privileged-token-creator) configured.

path "auth/token/create" {
  capabilities = ["create", "update", "sudo"]
}

path "auth/token/create-orphan" {
  capabilities = ["create", "update", "sudo"]
}

path "auth/token/create/*" {
  capabilities = ["create", "update", "sudo"]
}

path "sys/policies/acl/edgex-service-*"
{
  capabilities = ["create", "read", "update", "delete" ]
}

path "sys/policies/acl"
{
  capabilities = ["list"]
}

AUTHOR

EdgeX Foundry \<info@edgexfoundry.org>