This repository contains code for a HashiCorp Vault Auth Plugin that authenticates with Ory Kratos and Ory Keto APIs.
The setup guide assumes some familiarity with Vault and Vault's plugin ecosystem. You must have a Vault server already running, unsealed, and authenticated.
-
Download and decompress the latest plugin binary from the Releases tab. Alternatively you can compile the plugin from source.
-
Move the compiled plugin into Vault's configured
plugin_directory
:
$ mv vault-auth-plugin-ory /etc/vault/plugins/vault-auth-plugin-ory
- Calculate the SHA256 of the plugin and register it in Vault's plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-auth-plugin-ory" | cut -d' ' -f1)
$ vault plugin register \
-sha256="${SHA256}" \
-command="vault-auth-plugin-ory" \
auth vault-plugin-auth-ory
- Mount the auth method:
$ vault auth enable \
-path="ory" \
-plugin-name="vault-plugin-auth-ory" plugin
- Build the plugin for your platform (
os/arch
) e.g.:
$ make darwin/arm64
or build for all platforms:
$ make build
- Start a Vault server in dev mode pointing to the plugin directory:
$ make start
- Login to Vault as root:
$ vault login root
- Enable the plugin in Vault:
$ make enable
- Write the configs:
$ make configs
- Authenticate with the plugin:
$ vault write auth/ory/# \
namespace=files \
object=c5cc3e28-e3c3-45ca-be86-a0a55953bfca \
relation=editor \
kratos_session_cookie=ory_kratos_session=MTY2NzgyMjg2M3xBYVJxa2hmNFlOOFAyZnc3U3VidnZKd1A0VmdyWFgyU3ozbUNvRG4zeC1oNU1DS3Z6dkc1ODllTHdua0s5aFdpcW1ZZ0pveVNBVVM3ZXBIRWdQdlJGWXN0aS1iVU5tenVFbUw1WE1QNDRVcms5eWZZRk52R3dOdTJKLVcxYVlFWFU4ajNFUmc0bnc9PXyq29KzMQjNDdZLeJAuNLUBeU1g1-iD7l31nahltn4mZg==
- Add a policy that matches the naming convention
namespace_relation
(e.g.files_editor
) using the example policy found below, replacing the accessor string with the contents returned by:
$ make accessor
- Login with the token provided after running the
write
command:
$ vault login [token]
- Attempt to read secrets:
$ vault read secret/files/c5cc3e28-e3c3-45ca-be86-a0a55953bfca/some_secret
To authenticate, the user supplies a valid Ory Kratos session cookie, along with the namespace, object, and relation to check against Keto.
$ vault write auth/ory/# namespace=[namespace] object=[object] relation=[relation] kratos_session_cookie=[full kratos_session_cookie=[...] string]
The response will be a standard auth response with some token metadata:
Key Value
--------------------------------
token [token]
token_accessor [accessor]
token_duration [TTL]
token_renewable false
token_policies ["default" "[namespace]_[relation]"]
identity_policies []
policies ["default" "[namespace]_[relation]"]
When a token is successfully created, the plugin attach a policy that follows the naming schema of [namespace]_[relation]
.
You must then create a policy with that name in Vault that utilises the metadata stored in the alias. The following policy template will allow access to a KV secret at the path secret/data/[namespace]/[object]*
:
path "secret/data/{{identity.entity.aliases.auth_vault-plugin-auth-ory_e40b77a0.metadata.object}}*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/metadata/{{identity.entity.aliases.auth_vault-plugin-auth-ory_e40b77a0.metadata.object}}/*" {
capabilities = ["delete", "list"]
}
Being sure to replace auth_vault-plugin-auth-ory_e40b77a0
with the accessor of the auth plugin found by running vault auth list
.
Alternatively, you can find the accessor by running the following command:
$ export MOUNT_ACCESSOR=$(vault auth list -format=json | jq -r '."ory/".accessor')
As we already know the namespace at this point, you can also simply use the path:
secret/data/[known namespace]/{{identity.entity.metadata.object}}*
This code is licensed under the MPLv2 license.