Vault NATS Secrets Engine
This engine generates and manages NATS NKeys for Operators, Accounts, and Users.
The NKeys can then be used to generate JWTs for Users and Accounts. The secrets
engine can be used to implement NATS decentralized
authentication/authorization
utilzing Vault instead of nsc
.
Enable Engine
vault secrets enable [-path {cluster name}] vault-plugin-nats
Configuration Lifecycle
Create Configuration
This endpoint configures the plugin with various NATS server configuration. It
returns the Operator and System Account JWTs.
Method |
Path |
POST |
:mount-path /config |
Parameters
Name |
Type |
Description |
:mount-path |
String |
The mount path of the plugin. This is specified as part of the URL. |
account_jwt_server_url |
URL |
Account JWT server URL, only http/https/nats urls supported. (default: nats://127.0.0.1:4222) |
service_url |
URL |
NATS server URL, only nats/tls urls supported. (default: nats://127.0.0.1:4222) |
tags |
Strings |
Comma separated list of user tags. (optional) |
Sample Payload
{
"account_jwt_url": "nats://127.0.0.1:4222",
"service_url": "nats://127.0.0.1:4222",
"tags": "staging"
}
Sample Request
curl --header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/nats/config | jq .
Sample Response
{
"request_id": "03391799-3541-b74a-571a-e77f049ab0d3",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"operator_jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJTNjVBTERVQUtHTjdTRUlJRUJFWFhOSVpJS1dHR0kzN0c3NEpJTlVHVlpJUUNLVVdESjZRIiwiaWF0IjoxNjY2MjkzMjY2LCJpc3MiOiJPQUtJVzNFS0oySUFFRUZGTURLV0dSSUlKMlY0Rk9YWk1NM0lCSkQ0RkNWUEJHREtVNUdOS0lXNyIsIm5hbWUiOiJERU1PIiwic3ViIjoiT0FLSVczRUtKMklBRUVGRk1ES1dHUklJSjJWNEZPWFpNTTNJQkpENEZDVlBCR0RLVTVHTktJVzciLCJuYXRzIjp7ImFjY291bnRfc2VydmVyX3VybCI6Im5hdHM6Ly9sb2NhbGhvc3Q6NDIyMiIsIm9wZXJhdG9yX3NlcnZpY2VfdXJscyI6WyJuYXRzOi8vbG9jYWxob3N0OjQyMjIiLCJuYXRzOi8vYXNmOjQyMjIiXSwic3lzdGVtX2FjY291bnQiOiJBQU41M0NLUkJOUUVKN0NYMjRCM1NPU0JDS1ZCT1VDWkRYRkNaWkhEMkdDUTJOWjZEV1FHRVNKNiIsInR5cGUiOiJvcGVyYXRvciIsInZlcnNpb24iOjJ9fQ.0bvh_F_gmOdTJFY8Fc_BarGm-WpNwLTiq1GjA_T1Kgo2ZAlrCKGq1bGfrqUNGMalxQpRcs6a-ofcoEUkF0nvCg",
"system_account_jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDUTRQUE9SV0NOU0dKUjROUjVVSkwzQ0tDM1NMTUxTM1RWTE1BQ1EyN0Q2NkxWQzVYQldBIiwiaWF0IjoxNjY2MjgzOTE3LCJpc3MiOiJPQUtJVzNFS0oySUFFRUZGTURLV0dSSUlKMlY0Rk9YWk1NM0lCSkQ0RkNWUEJHREtVNUdOS0lXNyIsIm5hbWUiOiJTWVMiLCJzdWIiOiJBQU41M0NLUkJOUUVKN0NYMjRCM1NPU0JDS1ZCT1VDWkRYRkNaWkhEMkdDUTJOWjZEV1FHRVNKNiIsIm5hdHMiOnsiZXhwb3J0cyI6W3sibmFtZSI6ImFjY291bnQtbW9uaXRvcmluZy1zdHJlYW1zIiwic3ViamVjdCI6IiRTWVMuQUNDT1VOVC4qLlx1MDAzZSIsInR5cGUiOiJzdHJlYW0iLCJhY2NvdW50X3Rva2VuX3Bvc2l0aW9uIjozLCJkZXNjcmlwdGlvbiI6IkFjY291bnQgc3BlY2lmaWMgbW9uaXRvcmluZyBzdHJlYW0iLCJpbmZvX3VybCI6Imh0dHBzOi8vZG9jcy5uYXRzLmlvL25hdHMtc2VydmVyL2NvbmZpZ3VyYXRpb24vc3lzX2FjY291bnRzIn0seyJuYW1lIjoiYWNjb3VudC1tb25pdG9yaW5nLXNlcnZpY2VzIiwic3ViamVjdCI6IiRTWVMuUkVRLkFDQ09VTlQuKi4qIiwidHlwZSI6InNlcnZpY2UiLCJyZXNwb25zZV90eXBlIjoiU3RyZWFtIiwiYWNjb3VudF90b2tlbl9wb3NpdGlvbiI6NCwiZGVzY3JpcHRpb24iOiJSZXF1ZXN0IGFjY291bnQgc3BlY2lmaWMgbW9uaXRvcmluZyBzZXJ2aWNlcyBmb3I6IFNVQlNaLCBDT05OWiwgTEVBRlosIEpTWiBhbmQgSU5GTyIsImluZm9fdXJsIjoiaHR0cHM6Ly9kb2NzLm5hdHMuaW8vbmF0cy1zZXJ2ZXIvY29uZmlndXJhdGlvbi9zeXNfYWNjb3VudHMifV0sImxpbWl0cyI6eyJzdWJzIjotMSwiZGF0YSI6LTEsInBheWxvYWQiOi0xLCJpbXBvcnRzIjotMSwiZXhwb3J0cyI6LTEsIndpbGRjYXJkcyI6dHJ1ZSwiY29ubiI6LTEsImxlYWYiOi0xfSwic2lnbmluZ19rZXlzIjpbIkFDTlZLVFNEWExPSktSNUVYN1JJU1I1QjJMVEg2S1VCRzJFTE1JNUkyS1pXR1BNUE43REc3U05aIl0sImRlZmF1bHRfcGVybWlzc2lvbnMiOnsicHViIjp7fSwic3ViIjp7fX0sInR5cGUiOiJhY2NvdW50IiwidmVyc2lvbiI6Mn19.1uvNMxMpSYbKjE4fhLcJ6JK8eXi17M2Zzegm1mZdTyQPTG08PbRSjr5ppB4UgVx9WDRtJREIPtNStgDwZGteBQ"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
Generate JWTs
This endpoint generates User and Account JWTs using the provided configuration.
If a User JWT is being generated the name of a previously created Account must
be provided. Additionaly for User JWTs a signed nonce required to authenticate
with the NATS server is returned.
Methods |
Path |
POST |
:mount-path /jwt/:name |
Parameters
Name |
Type |
Description |
mount-path |
String |
The mount path of the plugin. This is specified as part of the URL. |
name |
String |
The name of the account or user for which to create a JWT. |
type |
Enum [account , user ] |
Type of JWT to generate. (required) |
account |
String |
Name of a previously generated Account that should be used to sign the User JWT. (required if type=user) |
config |
JSON |
Configuration for either Account or User JWT. (required) |
JWT Sample Response
{
"jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJPSVhTUUw2Rk1YNlJVTVVaWUc1RVA3RktTTjVKQjRZNVk3VFdJRkNHRk9ORERBV0VITEpBIiwiaWF0IjoxNjY2MjgzOTE3LCJpc3MiOiJBQ05WS1RTRFhMT0pLUjVFWDdSSVNSNUIyTFRINktVQkcyRUxNSTVJMktaV0dQTVBON0RHN1NOWiIsIm5hbWUiOiJzeXMiLCJzdWIiOiJVQ1RSM0hIWU42WUJGTTNJN1hIWkVRNkFKWlFGN1pHQVVFQ09VTVBGRjZaM0JURDQ0RVo0U0NXSSIsIm5hdHMiOnsicHViIjp7fSwic3ViIjp7fSwic3VicyI6LTEsImRhdGEiOi0xLCJwYXlsb2FkIjotMSwiaXNzdWVyX2FjY291bnQiOiJBQU41M0NLUkJOUUVKN0NYMjRCM1NPU0JDS1ZCT1VDWkRYRkNaWkhEMkdDUTJOWjZEV1FHRVNKNiIsInR5cGUiOiJ1c2VyIiwidmVyc2lvbiI6Mn19.B3iUDYznSKSvcz-Xozm9oaZb_aaFgiYBCLiH5aEGv156PwDmilrK6CRzXg5fWiRt3Hewn-4EBsUqiXntOmqmBw"
}
Sign Nonce
This endpoint signs the nonce (challenge string) returned by NATS during
authentication. Signing can only be used with User JWTs.
Methods |
Path |
POST |
:mount-path /jwt/:name /sign |
Parameters
Name |
Type |
Description |
mount-path |
String |
The mount path of the plugin. This is specified as part of the URL. |
name |
String |
The name of the user that is used to sign the nonce. |
nonce |
String |
The nonce (challenge string) returned by NATS during authentication. |
JWT Sample Response
{
"signed_nonce": "RA2ZdifT+iwAZVtr6Lg8Nqkn2WPHHOaf70Qo+I2o214QDYK/JFHhWZe5h7uEc+vE+U6d/TL69/l5TnFhRmhYCg=="
}
Local Development
make start
make enable
./hack/test.sh