I’ll give you my Dirty Little Secret

I’ll give you my Dirty Little Secret


I’ll give you my Dirty Little Secret

Currently Reading: Medicine Bottles, Python Documentation

This week has been pretty uneventful as I’m preparing for my next surgery.

However, I finished the project given to me by my mentor!

I was to take Vault and build an application that returns the value for a key via a web interface. This would be easy if I knew a lick of Python, but I didn’t, so I started by getting familiar with Vault instead.

I went through Vault’s Getting Started documentation to get comfortable with their API, creating Vault servers, and what secret management actually is.

Secret management takes all your sensitive data, passwords, SSH keys, tokens, etc, and stores them in one place. This makes it so you can always have a centralized hub of your sensitive information and it’s just not written down on a post-it note somewhere.

Vault is a secret management tool made by our friends over at Hashicorp. It not only stores your secrets, but it will roll your keys, make it easier to revoke keys, and handle leases on keys so that they aren’t staying out partying in cyberspace forever.

Thanks to this blog over at modularsystems.io I was able to get familiar with HVAC, which is a Python library to make it even easier to talk to the Vault API.

But I need to learn Python, so I stuck to the most generic, basic library there is, the requests library. Sticking to the request library paid off, in the end I learned a lot about how Python likes to be formatted (and how much I hate it), and how rewarding finishing projects can be.

So, how’s it work?

There’s a couple files to break each function up, there is vaultinit, pyvault, and returnkey. My naming conventions aren’t great, but they’re getting better.

VaulInit takes care of initializing Vault, unsealing Vault, and getting us the client token. It also checks if Vault has already be initialized, and if so, sends you right over to the PyVault function instead.

If my small time around Linux has taught me anything it is that you do not share anything with the word ‘root’ in it. Using the root token to read and write to Vault felt dirty, so I knew there had to be another way around it. My way isn’t perfect though, and I’m not sure yet what the ideal way to do this would be. In the end, we write the client token to a super secret file (literally) so it can be accessed as needed.

with open("supersecrets", "w") as out:
out.write(default_token.json()['auth']['client_token'])
PyVault reads the client token and uses that to generate and return our secrets. It stores the value in a value variable so that we may be able to use it elsewhere.
return_value = requests.get('{}/secret/foo'.format(url), headers=client_token)
value = (return_value.json()['data']['value'])
return value
ReturnKey brings everything together VaultInit and PyVault, running them both and then outputting the value variable we made in PyVault to our browser via Bottle!
The whole project is on Github and needs a lot of refactoring.
It may be a catastrophe of code, but it's my first bit of Python.