[SOLVED] Hashicorp Vault Secrets Plugin for Proxmox API

utkonos

Active Member
Apr 11, 2022
150
39
33
I think there would be value in there being a Proxmox secrets plugin for Hashicorp's Vault.

To understand what this feature would do, I am going to use the AWS secrets plugin as an example. The Proxmox feature would work the same way structurally. Vault is a secure storage system for credentials of various types for APIs. Rather than keeping API keys in files on a server drive, in environment variables, or (gasp) hard coded in software, one saves the API credential to a location in Vault. The application then authenticates to Vault using one of the many authentication methods and recieves the API credential to then use in requests to the API. This is all fully supported today with Vault and Proxmox as-is. You just create a token and save it to vault and configure an application to interact with vault to get the credential. However, this paradigm still potentially leaves a long-term token outside of the confines of Vault. Through memory forensics and/or reverse engineering on the server running the application, that API key can potentially be recovered, stolen, and used elsewhere surreptitiously.

The type of secrets plugin for AWS performs a few extra steps. The admin creates a special AWS credential that has the correct privileges for creating more AWS API credentials. This master credential only exists safely inside of Vault. The AWS secrets plugin, when accessed by an application outside Vault, performs the steps with the AWS API using the stored master credential to create a short lived token with just the permissions needed for the application. The application would be aware of the TTL on the token, and include appropriate functionality to renew or be reissued a fresh credential when needed. This means a compromised application server may not provide valid credentials at all. The following is a link that describes the AWS secrets plugin:
https://developer.hashicorp.com/vault/docs/secrets/aws

I can see in the API documentation what seems to be all the API capabilities needed to support this plugin already. Please correct me if I am wrong:
https://pve.proxmox.com/pve-docs/api-viewer/index.html#/access/users/{userid}/token/{tokenid}
Via a master token, saved to Vault, a Proxmox secrets plugin would use that token to generate a new token with specific permissions and an expiration time in seconds.

The missing piece is the Vault plugin, which would need to be written in Go according to their plugin architecture:
https://developer.hashicorp.com/vault/docs/plugins

There are a few ways to go about this. First, Hashicorp could be lobbied to write an official plugin. Proxmox could be lobbied to write and maintain the plugin. Or some one or more of us in the community could write it and release it to Github. The various plugins that are available today in these different categories are listed here:
https://developer.hashicorp.com/vault/docs/plugins/plugin-portal

What do you all think about this?
 
Last edited:
Hello,

I am looking to use terraform authentication (approle) with Vault (hashicorp) and the Proxmox API, but I admit not to understand everything, for the recovery of secrets.

My path differs from the examples found on the internet, I see many people talking about data in their way, but nothing is very clear.

If you have someone who has mastered the subject, I would appreciate it if they would bring their expertise.

king regards
 
Thanks for the feedback @tmollstam,

I have to admit that I'm pretty busy right now and have put it aside for now.

Thanks again for the feedback @tmollstam.

PS: If someone needs a stack that allows to quickly install the hashicorp vault on a VMware Workstation, don't hesitate to let me know, I'll make it available so he can push further.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!