Skip to content
/ vault-plugin-secrets-kafka Public

A vault plugin for generating ACLs for dynamic users

28 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Mongey/vault-plugin-secrets-kafka

BranchesTags

Repository files navigation

[WIP] vault-plugin-kafka-secret

CircleCI

A Vault plugin for generating credentials for Apache Kafka clients.

Generates a dynamic username and ACL that can be used to create a uniq SSL certificate for a Kafka client.

Use this in combination with the vault pki backend.

Pre-Install

🔌 Installation

  • Download the plugin to Vault's plugin directory.
  • Register the plugin with Vault 
    • vault write sys/plugins/catalog/vault-plugin-secrets-kafka \
  sha_256="$SHASUM" \
  command="vault-plugin-secrets-kafka"
  • Enable the plugin mount 
    • vault secrets enable -path=kafka -plugin-name=vault-plugin-secrets-kafka plugin

🛠 Configure

  • Configure the plugin

    • vault write kafka/config/access address="localhost:9092" ca_certificate="$CA" client_certificate="$CERT" client_key="$PRIVATE_KEY"
    • The client must be capable of writing creating and deleting ACLs.

  • Write a policy

    • {
  "acl": {
    "host": "*",
    "operation": "Read",
    "permission_type": "Allow"
  },
  "resource": {
    "type": "Topic",
    "name": "*",
    "pattern_type_filter": "any"
  }
}

  • Write the role

    • vault write kafka/roles/read-all-topics policy=$(cat bin/policy.json)

  • Read the credentials, pick the username

    • vault read kafka/creds/read-all-topics

  • Generate a SSL certificate for this client

    •   NAME=$(vault read -field=user kafka/creds/read-all-topics)
  DATA=$(vault write -format=json pki/issue/kafka-clients common_name="$NAME" ttl=$TTL | jq -r .data)
  printf "%s" "$DATA" | jq -r .private_key > private.key
  printf "%s" "$DATA" | jq -r .certificate > client.cert
  printf "%s" "$DATA" | jq -r .issuing_ca  > ca.cert

About

A vault plugin for generating ACLs for dynamic users

Topics

kafka vault apache-kafka vault-plugin

Resources

Readme
Activity

Stars

28 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages