Hashicorp Vault

How to apply your company password policy convention on Hashicorp Vault

Jeremy Chauvet

Mar 4, 2024 — 2 min read

In a recent post, we've seen how your user naming convention can be applied to some of the dynamic secrets Vault can handle.

In this article, we will see how companies can also set their password policy convention.

Password policies not related to policies, which are used to grant access to paths and operations.

Policy creation

The password policy is a simple JSON or HCL file which defines rules to match for the password to be generated. Here's a password policy sample:

length = 30
rule "charset" {
  charset = "abcdefghijklmnopqrstuvwxyz"
  min-chars = 1
}
rule "charset" {
  charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
  min-chars = 5
}
rule "charset" {
  charset = "0123456789"
  min-chars = 2
}
rule "charset" {
  charset = "!@#$%^&*"
  min-chars = 10
}

Policy rollout

One should strongly consider managing their Vault cluster using infrastructure as code. Accordingly, the following steps will use Terraform and the Terraform Vault provider:

resource "vault_password_policy" "confidential" {
  name = "confidential"

  policy = <<EOT
    length = 30
    rule "charset" {
      charset = "abcdefghijklmnopqrstuvwxyz"
      min-chars = 1
    }
    rule "charset" {
      charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
      min-chars = 5
    }
    rule "charset" {
      charset = "0123456789"
      min-chars = 2
    }
    rule "charset" {
      charset = "!@#$%^&*"
      min-chars = 10
    }
  EOT
}

resource "vault_password_policy" "secret" {
  name = "secret"

  policy = <<EOT
    length = 100
    rule "charset" {
      charset = "abcdefghijklmnopqrstuvwxyz"
      min-chars = 1
    }
    rule "charset" {
      charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
      min-chars = 10
    }
    rule "charset" {
      charset = "0123456789"
      min-chars = 10
    }
    rule "charset" {
      charset = "!@#$%^&*"
      min-chars = 20
    }
  EOT
}

resource "null_resource" "apply_password_policy" {
  triggers = {
    policy_name = vault_password_policy.secret.name
  }

  provisioner "local-exec" {
    command = <<-EOF
      curl --silent --insecure --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"password_policy":"${vault_password_policy.secret.name}"}' "$VAULT_ADDR/v1/${vault_mount.mysql.path}/config/${vault_database_secret_backend_connection.cluster.name}"
    EOF
  }
}

Links

Lenstra helps companies leverage Computer Science to enhance their Economic Performance

Cut ECR costs like a pro: smart strategies for managing your container registry on AWS

Amazon Elastic Container Registry (ECR) is service aiming to provide a safe, reliable and scalable serverless infrastructure to host your Docker images. Over the past few years, I have advised leading companies on their transition to AWS and the maintenance of their existing workloads. The vast majority of these companies

Jeff

I'm thrilled to announce the launch of Jeff, a MacOS application designed to keep you in the loop with the latest updates from AWS services. Whether you’re a developer, IT manager, or tech enthusiast, Jeff is your perfect companion to stay ahead in the fast-paced world of

Run your own "ChatGPT" like locally

Ollama is a tool that enables users to run advanced language models, such as Mistral or llama, - both ChatGPT competitors - on their local machines. Unlike traditional AI solutions that rely heavily on cloud-based infrastructure, Ollama empowers users to harness AI capabilities locally. This does not only reduces dependency

Gitlab manifesto

Inspired by « The Frugal Architect » from Amazon CTO Werner Vogels, this manifesto explain simple laws to create sustainable, scalable and human-friendly delivery processes on Gitlab. Law 1 - Use labels to categorise Merge Requests During the lifetime of a project, maintainers may handle dozens of merge requests, depending on the