Integrating Vault with MAAS

MAAS with Vault: a step-by-step guide

Errors or typos? Topics missing? Hard to read? Let us know!

Note: Vault is compatible with MAAS version 3.3 and above. Please upgrade if you’re using an older version.

To ensure seamless integration between MAAS and Vault, you’ll first need to obtain a role_id and wrapped_token through Vault’s CLI. For detailed guidance, check Hashicorp Vault’s tutorial^.

Here’s an illustrative example on how to set up this integration using the vault CLI:

  1. Enable the approle engine
$ vault auth list

If approle/ isn’t mounted, enable it:

$ vault auth enable approle
  1. Confirm or mount the KV v2 engine
$ vault secrets enable -path $SECRETS_MOUNT kv-v2
  1. Create a suitable policy
path "$SECRETS_MOUNT/metadata/$SECRETS_PATH/" {
	capabilities = ["list"]
}

path "$SECRETS_MOUNT/metadata/$SECRETS_PATH/*" {
	capabilities = ["read", "update", "delete", "list"]
}

path "$SECRETS_MOUNT/data/${SECRETS_PATH}/*" {
	capabilities = ["read", "create", "update", "delete"]
}
  1. Apply the policy in Vault
$ vault policy write $MAAS_POLICY $POLICY_FILE
  1. Associate each MAAS region controller with the policy
$ vault write auth/approle/role/$ROLE_NAME \
policies=$MAAS_POLICY token_ttl=5m

Fetch the role ID:

$ vault read auth/approle/role/$ROLE_NAME/role-id
  1. Generate a secret ID for each role
$ vault write -wrap-ttl=5m auth/approle/role/$ROLE_NAME/secret-id

Post-setup, you can integrate MAAS with Vault using:

sudo maas config-vault configure $URL $APPROLE_ID $WRAPPED_TOKEN $SECRETS_PATH --mount $SECRET_MOUNT

Complete the integration by migrating the secrets:

$ sudo maas config-vault migrate

This guide provides you with a structured approach to get your MAAS-Vault integration up and running. Happy integrating!


Last updated a month ago.