»OCI Auth Method

The OCI Auth method for Vault enables authentication and authorization using OCI Identity credentials.

This plugin is developed in a separate GitHub repository at https://github.com/hashicorp/vault-plugin-auth-oci, but is automatically bundled in Vault releases. Please file all feature requests, bugs, and pull requests specific to the OCI plugin under that repository.

»OCI Roles

The OCI Auth method authorizes using roles, as shown here: Role Based Authorization

There is a many-to-many relationship between various items seen above:

  • A user can belong to many identity groups.
  • An identity group can contain many users.
  • A compute instance can belong to many dynamic groups.
  • A dynamic group can contain many compute instances.
  • A role defined in Vault can be mapped to many groups and dynamic groups.
  • A single role can be mapped to both groups and dynamic groups.
  • A Vault policy can be mapped from different roles.

The ocid_list field of a role is a list of Group or Dynamic Group OCIDs. Only members of these Groups or Dynamic Groups are allowed to take this role.

»Configuration

»Configure the OCI Tenancy to Run Vault

The OCI Auth method requires instance principal credentials to call OCI Identity APIs, and therefore the Vault server needs to run inside an OCI compute instance.

Follow the steps below to add policies to your tenancy that allow the OCI compute instance in which the Vault server is running to call certain OCI Identity APIs.

  1. In your tenancy, launch the compute instance(s) that will run the Vault server. The VCN in which you launch the Compute Instance should have a Service Gateway added to it .
  2. Make a note of the Oracle Cloud Identifier (OCID) of the compute instance(s) running Vault.
  3. In your tenancy, create a dynamic group with the name VaultDynamicGroup to contain the computer instance(s).
  4. Add the OCID of the compute instance(s) to the dynamic group.
  5. Add the following policies to the root compartment of your tenancy that allow the dynamic group to call specific Identity APIs.
    allow dynamic-group VaultDynamicGroup to {AUTHENTICATION_INSPECT} in tenancy
    allow dynamic-group VaultDynamicGroup to {GROUP_MEMBERSHIP_INSPECT} in tenancy
    allow dynamic-group VaultDynamicGroup to {AUTHENTICATION_INSPECT} in tenancy    allow dynamic-group VaultDynamicGroup to {GROUP_MEMBERSHIP_INSPECT} in tenancy

»Configure the OCI Auth method

{ "home_tenancy_id": "your tenancy ocid here" }
{ "home_tenancy_id": "your tenancy ocid here" }
  • Configure the home_tenancy_id parameter in the Vault.
    curl --header "X-Vault-Token: $roottoken" --request PUT \
    --data @hometenancyid.json \
    http://127.0.0.1:8200/v1/auth/oci/config (127.0.0.1:8200/v1/auth/oci/config)
    curl --header "X-Vault-Token: $roottoken" --request PUT \    --data @hometenancyid.json \    http://127.0.0.1:8200/v1/auth/oci/config (127.0.0.1:8200/v1/auth/oci/config)
  • Create a Vault administrator role in the OCI Auth method. The vaultadminrole allows the administrator of Vault to log into Vault and grants them the permissions allowed in the policy.

Create a file named vaultadminrole.json with the below contents. Replace the ocid_list with the Group or Dynamic Group OCIDs in your tenancy that has users or instances that you want to take the Vault admin role.

  • For testing in dev mode, you can add the OCID of the dynamic group previously created.
  • In production, add only the OCID of groups and dynamic groups that can take the admin role in Vault.
{
  "token_policies": "vaultadminpolicy",
  "token_ttl": "1800",
  "ocid_list": "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea"
}
{  "token_policies": "vaultadminpolicy",  "token_ttl": "1800",  "ocid_list": "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea"}

Create the Vault admin role:

    curl --header "X-Vault-Token: $roottoken" --request PUT \
    --data @vaultadminrole.json \
    http://127.0.0.1:8200/v1/auth/oci/role/vaultadminrole (127.0.0.1:8200/v1/auth/oci/role/vaultadminrole)
    curl --header "X-Vault-Token: $roottoken" --request PUT \    --data @vaultadminrole.json \    http://127.0.0.1:8200/v1/auth/oci/role/vaultadminrole (127.0.0.1:8200/v1/auth/oci/role/vaultadminrole)
  1. Log into the Vault using instance principal.
    • This assumes that the VAULT_ADDR export has been specified, as shown earlier in this page.
    • The compute instance that you are logging in from should be a part of a dynamic group that was added to the Vault admin role. The compute instance should also have connectivity to the endpoint specified in VAULT_ADDR.
    • When testing in dev mode in the same compute instance that the Vault is running, this is http://127.0.0.1:8200. vault login -method=oci auth_type=instance role=vaultadminrole

You will see a response that includes a token with the previously added policy.

  1. Use the received token to read secrets, writer secrets, and add roles per the instructions in /docs/secrets/kv/kv-v1.

  2. Log into Vault using the user API key.

    • Add an API Key for a user in the console. This user should be part of a group that has previously been added to the Vault admin role.

    • Create the config file ~/.oci/config using the user's credentials as detailed in https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm. Ensure that the region in the config matches the region of the compute instance that is running Vault.

    • Log into Vault using the user API key.

      vault login -method=oci auth_type=apikey role=vaultadminrole

  3. Stop Vault and re-start it in the production environment. See the configuration docs for more information.

  4. Repeat all steps in this Configure the OCI Auth Method section while in the production environment.

»Manage Roles in the OCI Auth method

  1. Similar to creating the Vault administrator role, create other roles mapped to other policies. Create a file named devrole.json with the following contents. Replace ocid_list with Groups or Dynamic Groups in your tenancy.
{
  "token_policies": "devpolicy",
  "token_ttl": "1500",
  "ocid_list": "ocid1.group.oc1..aaaaaaaaiqnblimpvmgrouplrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmdg2u5n7ffamn2pdvxaq6esb2vzzoduexamplea"
}
{  "token_policies": "devpolicy",  "token_ttl": "1500",  "ocid_list": "ocid1.group.oc1..aaaaaaaaiqnblimpvmgrouplrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmdg2u5n7ffamn2pdvxaq6esb2vzzoduexamplea"}
  1. Add the role.
curl --header "X-Vault-Token: $token" --request PUT \
--data @devrole.json \
http://127.0.0.1:8200/v1/auth/oci/role/devrole (127.0.0.1:8200/v1/auth/oci/role/devrole)
curl --header "X-Vault-Token: $token" --request PUT \--data @devrole.json \http://127.0.0.1:8200/v1/auth/oci/role/devrole (127.0.0.1:8200/v1/auth/oci/role/devrole)
  1. Login to Vault assuming the devrole.
vault login -method=oci auth_type=instance role=vaultadminrole`
vault login -method=oci auth_type=instance role=vaultadminrole`

»Authentication

When authenticating, users can use Vault cli.

»Via the CLI

With Compute Instance credentials:

$ vault login -method=oci auth_type=instance role=devrole
$ vault login -method=oci auth_type=instance role=devrole

With User credentials: SDK Config

$ vault login -method=oci auth_type=apikey role=devrole
$ vault login -method=oci auth_type=apikey role=devrole

»Via the API

  1. First, sign the following request with your OCI credentials and obtain the signing string and the authorization header. Replace the endpoint, scheme (http or https) & role of the URL corresponding to your vault configuration. For more information on signing, see signing the request.

    http://127.0.0.1/v1/auth/oci/login/devrole

  2. On signing the above request, you would get headers similar to:

The signing string would look like (line breaks inserted into the (request-target) header for easier reading):

date: Fri, 22 Aug 2019 21:02:19 GMT
(request-target): get /v1/auth/oci/login/devrole
host: 127.0.0.1

The Authorization header would look like:

Signature version="1",headers="date (request-target) host",keyId="ocid1.t
enancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/
ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3ryn
jq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7",algorithm="rsa-sha256
",signature="GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPe
DUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll
8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M="
date: Fri, 22 Aug 2019 21:02:19 GMT(request-target): get /v1/auth/oci/login/devrolehost: 127.0.0.1
The Authorization header would look like:
Signature version="1",headers="date (request-target) host",keyId="ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3rynjq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7",algorithm="rsa-sha256",signature="GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPeDUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M="
  1. Add the signed headers to the "request_headers" field and make the actual request to vault. An example is given below:
POST http://127.0.0.1/v1/auth/oci/login/devrole
   "request_headers": {
       "date": ["Fri, 22 Aug 2019 21:02:19 GMT"],
       "(request-target)": ["get /v1/auth/oci/login/devrole"],
       "host": ["127.0.0.1"],
       "content-type": ["application/json"],
       "authorization": ["Signature algorithm=\"rsa-sha256\",headers=\"date (request-target) host\",keyId=\"ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3rynjq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7\",signature=\"GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPeDUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M=\",version=\"1\""]
   }
POST http://127.0.0.1/v1/auth/oci/login/devrole   "request_headers": {       "date": ["Fri, 22 Aug 2019 21:02:19 GMT"],       "(request-target)": ["get /v1/auth/oci/login/devrole"],       "host": ["127.0.0.1"],       "content-type": ["application/json"],       "authorization": ["Signature algorithm=\"rsa-sha256\",headers=\"date (request-target) host\",keyId=\"ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3rynjq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7\",signature=\"GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPeDUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M=\",version=\"1\""]   }

»API

The OCI Auth method has a full HTTP API. Please see the API docs for more details.