Light

davidsbond / vault-plugin-tailscale Goto Github PK

View Code? Open in Web Editor NEW

72.0 3.0 5.0 185 KB

A HashiCorp Vault plugin for managing Tailscale authentication keys

License: MIT License

Makefile 1.84% Go 98.16%

tailscale vault-plugins

vault-plugin-tailscale's Introduction

vault-plugin-tailscale

A HashiCorp Vault plugin for generating device authentication keys for Tailscale. Generated keys are single use.

Installation

Download the binary for your architecture from the releases page
Generate the SHA256 sum of the plugin binary

$ sha256sum vault-plugin-tailscale | cut -d ' ' -f1
d6ffe79b13326eb472af0b670c694f21f779d524068ad705a672a00f6d433724

Add the plugin to your Vault plugin catalog

$ vault plugin register -sha256=d6ffe79b13326eb472af0b670c694f21f779d524068ad705a672a00f6d433724 secret vault-plugin-tailscale
Success! Registered plugin: vault-plugin-tailscale

Enable the plugin

$ vault secrets enable -path=tailscale vault-plugin-tailscale 
Success! Enabled the vault-plugin-tailscale secrets engine at: tailscale/

Usage

Obtain an API key from the Tailscale admin dashboard.
Create the Vault configuration for the Tailscale API

$ vault write tailscale/config tailnet=$TAILNET api_key=$API_KEY
Success! Data written to: tailscale/config

Generate keys using the Vault CLI.

$ vault read tailscale/key
Key          Value
---          -----
ephemeral    false
expires      2022-04-30T00:32:36Z
id           kMxzN47CNTRL
key          secret-key-data
reusable     false
tags         <nil>

Key Options

The following key/value pairs can be added to the end of the vault read command to configure key properties:

Tags

Tags to apply to the device that uses the authentication key

vault read tailscale/key tags=something:somewhere

Preauthorized

If true, machines added to the tailnet with this key will not required authorization

vault read tailscale/key preauthorized=true

Ephemeral

If true, nodes created with this key will be removed after a period of inactivity or when they disconnect from the Tailnet

vault read tailscale/key ephemeral=true

vault-plugin-tailscale's People

Contributors

Stargazers

Watchers

Forkers

konaryio blairdrummond matttrach barskern arnecls

vault-plugin-tailscale's Issues

Are you using this plugin?

Recently I've noticed this repo getting a lot of stars over the last week. I say a lot, by my standards it's a lot.

Just curious if you're using this plugin at home/work successfully, let me know!

Generated Key Options - Documentation

I'd like the ability to create ephemeral keys using this plugin.

I'm not a Go programmer, but looking at the source it seems like there's the ability to customize tags and preauthorized.

Are ephemeral keys not a current capability right now, and how would I go about using the current customizations for keys?

Unrecognized Plugin Message

Hi there, I just configured the plugin for the first time. I'm getting a 500 when I try to use it, though:

$ vault secrets enable -path=tailscale tailscale
Success! Enabled the tailscale secrets engine at: tailscale/
$ vault read tailscale/config
Error reading tailscale/config: Error making API request.

URL: GET https://vault/v1/tailscale/config
Code: 500. Errors:

* 1 error occurred:
	* Unrecognized remote plugin message:

This usually means that the plugin is either invalid or simply
needs to be recompiled to support the latest protocol.

I don't see anything else in the logs. My environment is a bit weird (running inside a container, in google cloud run) but it's hard to tell if that's the cause.

Version 0.2.3 doesn't work with current tailscale

Because expirySeconds was moved in this commit, the current released version doesn't work. I've set it up and I'm currently getting the following error:

Error reading tailscale/key: Error making API request.

URL: GET https://servie.home.iruud.cloud:8200/v1/tailscale/key
Code: 500. Errors:

* 1 error occurred:
	* json: unknown field "expirySeconds" (400)

This update has already been merged on the master branch, so if a new version could be released that should fix it. I will move to use the master branch for now.

Is this compatible with HCP Vault?

Is this compatible with Hashicorp Cloud Platform https://portal.cloud.hashicorp.com/

How do I install the plugin?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.