vault-plugin-nats

command module

v0.2.4 Latest Latest Go to latest Published: Mar 19, 2024 License: MPL-2.0 Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/xigxog/vault-plugin-nats

Links

Open Source Insights

README ¶

Vault NATS Secrets Engine

This engine generates and manages NATS NKeys for Operators, Accounts, and Users. The NKeys can then be used to generate JWTs for Users and Accounts. The secrets engine can be used to implement NATS decentralized authentication/authorization utilzing Vault instead of nsc.

Enable Engine

vault secrets enable [-path {cluster name}] vault-plugin-nats

Configuration Lifecycle

Create Configuration

Create Configuration

This endpoint configures the plugin with various NATS server configuration. It returns the Operator and System Account JWTs.

Method	Path
POST	`:mount-path`/config

Parameters

Name	Type	Description
`:mount-path`	String	The mount path of the plugin. This is specified as part of the URL.
account_jwt_server_url	URL	Account JWT server URL, only http/https/nats urls supported. (default: nats://127.0.0.1:4222)
service_url	URL	NATS server URL, only nats/tls urls supported. (default: nats://127.0.0.1:4222)
tags	Strings	Comma separated list of user tags. (optional)

Sample Payload

{
  "account_jwt_url": "nats://127.0.0.1:4222",
  "service_url": "nats://127.0.0.1:4222",
  "tags": "staging"
}

Sample Request

curl --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/nats/config | jq .

Sample Response

{
  "request_id": "03391799-3541-b74a-571a-e77f049ab0d3",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "operator_jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJTNjVBTERVQUtHTjdTRUlJRUJFWFhOSVpJS1dHR0kzN0c3NEpJTlVHVlpJUUNLVVdESjZRIiwiaWF0IjoxNjY2MjkzMjY2LCJpc3MiOiJPQUtJVzNFS0oySUFFRUZGTURLV0dSSUlKMlY0Rk9YWk1NM0lCSkQ0RkNWUEJHREtVNUdOS0lXNyIsIm5hbWUiOiJERU1PIiwic3ViIjoiT0FLSVczRUtKMklBRUVGRk1ES1dHUklJSjJWNEZPWFpNTTNJQkpENEZDVlBCR0RLVTVHTktJVzciLCJuYXRzIjp7ImFjY291bnRfc2VydmVyX3VybCI6Im5hdHM6Ly9sb2NhbGhvc3Q6NDIyMiIsIm9wZXJhdG9yX3NlcnZpY2VfdXJscyI6WyJuYXRzOi8vbG9jYWxob3N0OjQyMjIiLCJuYXRzOi8vYXNmOjQyMjIiXSwic3lzdGVtX2FjY291bnQiOiJBQU41M0NLUkJOUUVKN0NYMjRCM1NPU0JDS1ZCT1VDWkRYRkNaWkhEMkdDUTJOWjZEV1FHRVNKNiIsInR5cGUiOiJvcGVyYXRvciIsInZlcnNpb24iOjJ9fQ.0bvh_F_gmOdTJFY8Fc_BarGm-WpNwLTiq1GjA_T1Kgo2ZAlrCKGq1bGfrqUNGMalxQpRcs6a-ofcoEUkF0nvCg",
    "system_account_jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDUTRQUE9SV0NOU0dKUjROUjVVSkwzQ0tDM1NMTUxTM1RWTE1BQ1EyN0Q2NkxWQzVYQldBIiwiaWF0IjoxNjY2MjgzOTE3LCJpc3MiOiJPQUtJVzNFS0oySUFFRUZGTURLV0dSSUlKMlY0Rk9YWk1NM0lCSkQ0RkNWUEJHREtVNUdOS0lXNyIsIm5hbWUiOiJTWVMiLCJzdWIiOiJBQU41M0NLUkJOUUVKN0NYMjRCM1NPU0JDS1ZCT1VDWkRYRkNaWkhEMkdDUTJOWjZEV1FHRVNKNiIsIm5hdHMiOnsiZXhwb3J0cyI6W3sibmFtZSI6ImFjY291bnQtbW9uaXRvcmluZy1zdHJlYW1zIiwic3ViamVjdCI6IiRTWVMuQUNDT1VOVC4qLlx1MDAzZSIsInR5cGUiOiJzdHJlYW0iLCJhY2NvdW50X3Rva2VuX3Bvc2l0aW9uIjozLCJkZXNjcmlwdGlvbiI6IkFjY291bnQgc3BlY2lmaWMgbW9uaXRvcmluZyBzdHJlYW0iLCJpbmZvX3VybCI6Imh0dHBzOi8vZG9jcy5uYXRzLmlvL25hdHMtc2VydmVyL2NvbmZpZ3VyYXRpb24vc3lzX2FjY291bnRzIn0seyJuYW1lIjoiYWNjb3VudC1tb25pdG9yaW5nLXNlcnZpY2VzIiwic3ViamVjdCI6IiRTWVMuUkVRLkFDQ09VTlQuKi4qIiwidHlwZSI6InNlcnZpY2UiLCJyZXNwb25zZV90eXBlIjoiU3RyZWFtIiwiYWNjb3VudF90b2tlbl9wb3NpdGlvbiI6NCwiZGVzY3JpcHRpb24iOiJSZXF1ZXN0IGFjY291bnQgc3BlY2lmaWMgbW9uaXRvcmluZyBzZXJ2aWNlcyBmb3I6IFNVQlNaLCBDT05OWiwgTEVBRlosIEpTWiBhbmQgSU5GTyIsImluZm9fdXJsIjoiaHR0cHM6Ly9kb2NzLm5hdHMuaW8vbmF0cy1zZXJ2ZXIvY29uZmlndXJhdGlvbi9zeXNfYWNjb3VudHMifV0sImxpbWl0cyI6eyJzdWJzIjotMSwiZGF0YSI6LTEsInBheWxvYWQiOi0xLCJpbXBvcnRzIjotMSwiZXhwb3J0cyI6LTEsIndpbGRjYXJkcyI6dHJ1ZSwiY29ubiI6LTEsImxlYWYiOi0xfSwic2lnbmluZ19rZXlzIjpbIkFDTlZLVFNEWExPSktSNUVYN1JJU1I1QjJMVEg2S1VCRzJFTE1JNUkyS1pXR1BNUE43REc3U05aIl0sImRlZmF1bHRfcGVybWlzc2lvbnMiOnsicHViIjp7fSwic3ViIjp7fX0sInR5cGUiOiJhY2NvdW50IiwidmVyc2lvbiI6Mn19.1uvNMxMpSYbKjE4fhLcJ6JK8eXi17M2Zzegm1mZdTyQPTG08PbRSjr5ppB4UgVx9WDRtJREIPtNStgDwZGteBQ"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

Generate JWTs

This endpoint generates User and Account JWTs using the provided configuration. If a User JWT is being generated the name of a previously created Account must be provided. Additionaly for User JWTs a signed nonce required to authenticate with the NATS server is returned.

Methods	Path
POST	`:mount-path`/jwt/`:name`

Parameters

Name	Type	Description
mount-path	String	The mount path of the plugin. This is specified as part of the URL.
name	String	The name of the account or user for which to create a JWT.
type	Enum [`account`, `user`]	Type of JWT to generate. (required)
account	String	Name of a previously generated Account that should be used to sign the User JWT. (required if type=user)
config	JSON	Configuration for either Account or User JWT. (required)

JWT Sample Response

{
  "jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJPSVhTUUw2Rk1YNlJVTVVaWUc1RVA3RktTTjVKQjRZNVk3VFdJRkNHRk9ORERBV0VITEpBIiwiaWF0IjoxNjY2MjgzOTE3LCJpc3MiOiJBQ05WS1RTRFhMT0pLUjVFWDdSSVNSNUIyTFRINktVQkcyRUxNSTVJMktaV0dQTVBON0RHN1NOWiIsIm5hbWUiOiJzeXMiLCJzdWIiOiJVQ1RSM0hIWU42WUJGTTNJN1hIWkVRNkFKWlFGN1pHQVVFQ09VTVBGRjZaM0JURDQ0RVo0U0NXSSIsIm5hdHMiOnsicHViIjp7fSwic3ViIjp7fSwic3VicyI6LTEsImRhdGEiOi0xLCJwYXlsb2FkIjotMSwiaXNzdWVyX2FjY291bnQiOiJBQU41M0NLUkJOUUVKN0NYMjRCM1NPU0JDS1ZCT1VDWkRYRkNaWkhEMkdDUTJOWjZEV1FHRVNKNiIsInR5cGUiOiJ1c2VyIiwidmVyc2lvbiI6Mn19.B3iUDYznSKSvcz-Xozm9oaZb_aaFgiYBCLiH5aEGv156PwDmilrK6CRzXg5fWiRt3Hewn-4EBsUqiXntOmqmBw"
}

Sign Nonce

This endpoint signs the nonce (challenge string) returned by NATS during authentication. Signing can only be used with User JWTs.

Methods	Path
POST	`:mount-path`/jwt/`:name`/sign

Parameters

Name	Type	Description
mount-path	String	The mount path of the plugin. This is specified as part of the URL.
name	String	The name of the user that is used to sign the nonce.
nonce	String	The nonce (challenge string) returned by NATS during authentication.

JWT Sample Response

{
  "signed_nonce": "RA2ZdifT+iwAZVtr6Lg8Nqkn2WPHHOaf70Qo+I2o214QDYK/JFHhWZe5h7uEc+vE+U6d/TL69/l5TnFhRmhYCg=="
}

Local Development

make start
make enable
./hack/test.sh

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
nats

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL