Hashicorp Vault

How to apply your company password policy convention on Hashicorp Vault

Jeremy Chauvet

Mar 4, 2024 — 2 min read

In a recent post, we've seen how your user naming convention can be applied to some of the dynamic secrets Vault can handle.

In this article, we will see how companies can also set their password policy convention.

Password policies not related to policies, which are used to grant access to paths and operations.

Policy creation

The password policy is a simple JSON or HCL file which defines rules to match for the password to be generated. Here's a password policy sample:

length = 30
rule "charset" {
  charset = "abcdefghijklmnopqrstuvwxyz"
  min-chars = 1
}
rule "charset" {
  charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
  min-chars = 5
}
rule "charset" {
  charset = "0123456789"
  min-chars = 2
}
rule "charset" {
  charset = "!@#$%^&*"
  min-chars = 10
}

Policy rollout

One should strongly consider managing their Vault cluster using infrastructure as code. Accordingly, the following steps will use Terraform and the Terraform Vault provider:

resource "vault_password_policy" "confidential" {
  name = "confidential"

  policy = <<EOT
    length = 30
    rule "charset" {
      charset = "abcdefghijklmnopqrstuvwxyz"
      min-chars = 1
    }
    rule "charset" {
      charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
      min-chars = 5
    }
    rule "charset" {
      charset = "0123456789"
      min-chars = 2
    }
    rule "charset" {
      charset = "!@#$%^&*"
      min-chars = 10
    }
  EOT
}

resource "vault_password_policy" "secret" {
  name = "secret"

  policy = <<EOT
    length = 100
    rule "charset" {
      charset = "abcdefghijklmnopqrstuvwxyz"
      min-chars = 1
    }
    rule "charset" {
      charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
      min-chars = 10
    }
    rule "charset" {
      charset = "0123456789"
      min-chars = 10
    }
    rule "charset" {
      charset = "!@#$%^&*"
      min-chars = 20
    }
  EOT
}

resource "null_resource" "apply_password_policy" {
  triggers = {
    policy_name = vault_password_policy.secret.name
  }

  provisioner "local-exec" {
    command = <<-EOF
      curl --silent --insecure --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"password_policy":"${vault_password_policy.secret.name}"}' "$VAULT_ADDR/v1/${vault_mount.mysql.path}/config/${vault_database_secret_backend_connection.cluster.name}"
    EOF
  }
}

Links

Lenstra helps companies leverage Computer Science to enhance their Economic Performance

Gitlab manifesto

Inspired by « The Frugal Architect » from Amazon CTO Werner Vogels, this manifesto explain simple laws to create sustainable, scalable and human-friendly delivery processes on Gitlab. Law 1 - Use labels to categorise Merge Requests During the lifetime of a project, maintainers may handle dozens of merge requests, depending on the

Dependency management automation with Renovate

Modern IT systems are built on top of dozens of software applications and programming languages. These systems often depend on third-party components, which help developers avoid reinventing the wheel. These components, mostly libraries or frameworks, have their own lifecycles, allowing for the addition of new features and the patching of

Functional tests on containers with Google container-structure-test

Over the years, I've built hundreds of Docker images for dozens of major companies in Europe & USA. Every time, the same question needs to be answered: "how can we test this image before using it?". Most of these companies answered this question by adding an

Setting up AWS Managed Grafana in minutes to display metrics from Amazon Managed Prometheus and CloudWatch

Grafana is the most popular monitoring open source tool. Trusted by hundreds of companies across the world, Grafana is available as a managed service on AWS since August 2021. In this article, we will configure in a minute a Grafana workspace and his applications. 🔐Amazon Managed Grafana requires IAM Identity