Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for using 'vault' as multi tenant TOTP 'token' for API mfa access #1197

Closed
elconas opened this issue Mar 10, 2016 · 3 comments · Fixed by #2492
Closed

Add support for using 'vault' as multi tenant TOTP 'token' for API mfa access #1197

elconas opened this issue Mar 10, 2016 · 3 comments · Fixed by #2492

Comments

@elconas
Copy link

elconas commented Mar 10, 2016

I, as a automation user , a developer group or a aws multi account administrator,

would also like to use 'vault' as a multi tenant "MFA" device for machine 2 machine communication, protected by MFA (e.g. AWS assume_role).

I would like to store MFA token secrets (mainly TOTP) on VAULT and I would like to use the VAULT API to retrieve a TOTP OTP. This means VAULT would act like a "multi tenant Google Authenticator".

This should support all authentication backends that vault supports.

This can be used in cloud automation scenarios that enforce MFA access to API's. It could also be handy to handle "AWS root account mfa protection" for enterprise customers better (there are just roles, no personal accounts).

I could use all authentication methods (e.g. Puppet CA) to authenticate against the vault MFA service and have proper backup and security for my 'mfa'. Storing credentials in vault, really makes vault the "second factor.

The high level process flow would look like this (AWS):

User -> vault:auth_vault(password/cert/...) -> vault:get_mfa_otp('mfa_name') -> aws:get_session_token(IAMAccount) -> aws:assume_role(targetAccount)

Access to the 'vault virtual mfa' - device should be configurable, to allow a group of users access or a group of groups access.

This would ease the usage of AWS MFA enforcement for all m2m communications (e.g. jenkins) and it would allow shared root account 'mfa' protection.

Supporting 'Active Directory' group to allow access to the shared MFA token would be the 'sugar on top', making it a proper enterprise solution for mfa.
@elconas
Copy link
Author

elconas commented Mar 10, 2016

Please note, this was created in response to #132

p.s. totp refers to "TOTP: Time-Based One-Time Password Algorithm"

@jefferai jefferai added this to the future milestone Mar 10, 2016
@pearkes pearkes closed this as completed Apr 19, 2016
@jefferai jefferai reopened this Apr 19, 2016
@eadz
Copy link

eadz commented Jun 15, 2016
edited
Loading

I am interested in this also. ( Edit: without the AWS integration - just have vault act as a google authenticator)

It would need to store a secret ( totp key ) at a path and then compute the TOTP value when requested.

I imagine it would work quite almost exactly like the generic backend, except when you read, and extra computation ( compute token ) is performed on the secret, so in theory this feature is quite simple to add.

Where do I look for the source of the 'generic' backend? It's not in the builtin directory. It would almost be exactly the same, so any pointers in creating a second generic backend would be great.

@eadz
Copy link

eadz commented Jun 16, 2016

It looks like the PassthroughBackend maybe of help if we can override the read method.

@mymercurialsky mymercurialsky mentioned this issue Mar 15, 2017
Merged
@pbernal pbernal removed this from the not-scheduled milestone May 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implemented TOTP Secret Backend mymercurialsky/vault
5 participants
@eadz @jefferai @pbernal @pearkes @elconas