Hashicorp Vault Monitor 
How to build the source code
[ "$GOPATH" ] || export GOPATH="$HOME/go"
go get -u github.com/madrisan/hashicorp-vault-monitor
export PATH="$PATH:$GOPATH/bin"
$GOPATH/bin/hashicorp-vault-monitor -version
Optionally if you want to compile this tool for all the supported operating systems:
make -C $GOPATH/src/github.com/madrisan/hashicorp-vault-monitor bootstrap dev
You'll find the compiled binaries in the folder $GOPATH//src/github.com/madrisan/hashicorp-vault-monitor/pkg/.
How to use the hashicorp-vault-monitor tool
Export the Hashicorp Vault server url in the variable VAULT_ADDR
export VAULT_ADDR='https://myvaultserver.mydomain.com:8200'
If you do not have a running Vault server and you want to test this monitoring tool,
you can run a dockerized version of the latest version
(requires Docker or Podman).
Then run the export VAULT_ADDR ... command from the terminal output
(replace docker by podman if you use the latter and do not have the
podman Docker CLI emulation configured).
docker run -it -p 8200:8200 --cap-add=IPC_LOCK vault:latest
Unable to find image 'vault:latest' locally
latest: Pulling from library/vault
8e3ba11ec2a2: Pull complete
9d3c08966c5f: Pull complete
8c2e0f2bce8e: Pull complete
5752743f26bd: Pull complete
fd7271f646fb: Pull complete
Digest: sha256:85d4e6f0a52ba10d5f1d07c3f06aa64469c209237c04ed3fe1d5728f7c11fba6
Status: Downloaded newer image for vault:latest
==> Vault server configuration:
Api Address: http://0.0.0.0:8200
Cgo: disabled
Cluster Address: https://0.0.0.0:8201
Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "999999h0m0s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: true, enabled: false
Storage: inmem
Version: Vault v0.10.4
Version Sha: e21712a687889de1125e0a12a980420b1a4f72d3
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variable:
$ export VAULT_ADDR='http://0.0.0.0:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: VJCtYcgcsmAUFaT70tZoS4uYliEz6XVbxRvcNvg/hqQ=
Root Token: 39d2c714-6dce-6d96-513f-4cb250bf7fe8
Development mode should NOT be used in production installations!
export VAULT_ADDR='http://0.0.0.0:8200'
We can now create (in a different terminal, if you run the dockerized version of the Vault server) a Vault policy that we'll use later in the examples (you can find the binary vault here):
cat > accessor_lookup_policy.hcl <<__END
path "auth/token/lookup-accessor" {
capabilities = ["update", "sudo", "read", "list"]
}
__END
vault login
# enter the root token (or an admin token with sufficient permissions)
vault policy write accessor-policy accessor_lookup_policy.hcl
and two extra (non-root) tokens:
vault token create -policy=accessor-policy -renewable -period=768h
Key Value
--- -----
token s.iJPhLRp25r9FRwg4vrxfd0I7
token_accessor NzHyqTGPITcSYMiA31goyEXh
token_duration 768h
token_renewable true
token_policies ["default" "accessor-policy"]
identity_policies []
policies ["default" "accessor-policy"]
vault token create -policy=default -renewable -period=768h
Key Value
--- -----
token s.EFI8PMCZF1KInfCj1yyI7Rpy
token_accessor ljXiSqQDdSZBYthO7IsrFMD2
token_duration 768h
token_renewable true
token_policies ["default"]
identity_policies []
policies ["default"]
Note that the policies applied to the tokens are different.
Monitoring the status (unsealed/sealed)
$GOPATH/bin/hashicorp-vault-monitor status \
-address=$VAULT_ADDR
Add the output modifier -output=nagios if this tool is intented to
be used with the Nagios monitoring.
$GOPATH/bin/hashicorp-vault-monitor status \
-output=nagios -address=$VAULT_ADDR
Example of output
# default output message
Vault (vault-cluster-50531563) is unsealed
# with the '-output=nagios' switch
vault OK - Vault (vault-cluster-50531563) is unsealed
Monitoring the HA Cluster Status
$GOPATH/bin/hashicorp-vault-monitor hastatus \
-address=$VAULT_ADDR
Add -output=nagios as above if you monitor Vault with Nagios.
Example of output
# default output message
Vault HA (vault-cluster-50531563) is enabled, Standby Node (Active Node Address: https://192.168.1.8:8200)
# error message displayed when the HA mode is not enabled
Vault HA (vault-cluster-50531563) is not enabled
# with the '-output=nagios' switch
vault OK - Vault HA (vault-cluster-50531563) is enabled, Standby Node (Active Node Address: https://192.168.1.8:8200)
vault CRITICAL - Vault HA (vault-cluster-50531563) is not enabled
Monitoring the installed Vault policies
$GOPATH/bin/hashicorp-vault-monitor policies \
-address $VAULT_ADDR -token "39d2c714-6dce-6d96-513f-4cb250bf7fe8" \
root saltstack
Add the flag -output=nagios if you monitor Vault with Nagios.
Monitoring the access to the Vault KV data store
Get a secret from Vault KV data store v1
$GOPATH/bin/hashicorp-vault-monitor get \
-address $VAULT_ADDR -token "39d2c714-6dce-6d96-513f-4cb250bf7fe8" \
-field foo secret/mysecret
Get a secret from Vault KV data store v2
$GOPATH/bin/hashicorp-vault-monitor get \
-address $VAULT_ADDR -token "39d2c714-6dce-6d96-513f-4cb250bf7fe8" \
-field foo secret/data/mysecret
The -output=nagios switch must be added as usual to make the output compliance with Nagios.
Example of output
# default output message
found a value for the key foo: 'this-is-a-secret'
# with the '-output=nagios' switch
vault OK - found a value for the key foo: 'this-is-a-secret-for-checking-vault'
Monitoring the expiration date of a Vault token
$GOPATH/bin/hashicorp-vault-monitor token-lookup \
-address=$VAULT_ADDR -token="s.EFI8PMCZF1KInfCj1yyI7Rpy" \
-warning=120h -critical=72h
The -warning and -critical switches are optional and default to 168h (7 days)
and 72h (3 days) respectively.
As usual, add -output=nagios to get an output compliant with the Nagios specifications.
Example of output
# default output message
This (renewable) token will expire on Mon, 07 Oct 2019 14:25:06 UTC (4 weeks 3 days 23 hours 55 minutes 35 seconds left)
# with the '-output=nagios' switch
vault OK - This (renewable) token will expire on Mon, 07 Oct 2019 14:25:06 UTC (4 weeks 3 days 23 hours 55 minutes 35 seconds left)
Monitoring the expiration date of a Vault token via its associated token accessor
To avoid exposing the tokens in your monitoring setup, you can make use of their associated Token Accessors.
$GOPATH/bin/hashicorp-vault-monitor token-lookup \
-address=$VAULT_ADDR -token="s.iJPhLRp25r9FRwg4vrxfd0I7" \
-token-accessor="ljXiSqQDdSZBYthO7IsrFMD2" \
-warning=120h -critical=72h
The -warning and -critical switches are optional and default to 168h (7 days)
and 72h (3 days) respectively, as described above.
Add -output=nagios to get an output compliant with the Nagios specifications.
Note that you should replace 39d2c7... with the generated Root token from
your output. The same for the values of the two other tokens used in the examples.
You can omit the -address and -token flags by setting the environment
variables VAULT_ADDR and VAULT_TOKEN as shown in the following example:
export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_TOKEN="39d2c714-6dce-6d96-513f-4cb250bf7fe8"
$GOPATH/bin/hashicorp-vault-monitor status
$GOPATH/bin/hashicorp-vault-monitor policies root saltstack
$GOPATH/bin/hashicorp-vault-monitor get -field foo secret/mysecret
$GOPATH/bin/hashicorp-vault-monitor get -field foo secret/data/mysecret
The Root Token can also be used to login to the Vault web interface at the URL
https://myvaultserver.mydomain.com:8200/ui
or, if you're using the dockerized Vault server:
http://127.0.0.1:8200/ui
Image 1. Screenshot of the web UI login page
Image 2. Screenshot of the web UI homepage
Image 3. Screenshot of the web UI secrets management page
Developers' corner
Some extra actions that may be usefull to project developers.
Run the Test Suite
Just run in the top source folder ($GOPATH/src/github.com/madrisan/hashicorp-vault-monitor):
make test
Generate Test Coverage Statistics
Go to the top source folder and enter the command:
make cover
Style and Static Code Analyzers
Golint
Run the golint, the official linter for Go source code:
go get -u golang.org/x/lint/golint
# the golint binary is now available in:
# go list -f {{.Target}} golang.org/x/lint/golint
cd $GOPATH/src/github.com/madrisan/hashicorp-vault-monitor
export PATH="$PATH:$GOPATH/bin"
golint -set_exit_status ./... | grep -v ^vendor
GolangCI-Lint
Run the GolangCI-Lint linters aggregator:
go get -u github.com/golangci/golangci-lint/cmd/golangci-lint
cd $GOPATH/src/github.com/madrisan/hashicorp-vault-monitor
export PATH="$PATH:$GOPATH/bin"
golangci-lint run ./...
or just execute (requires hashicorp-vault-monitor version > 0.8.2):
make -C $GOPATH/src/github.com/madrisan/hashicorp-vault-monitor lint
Go Vet
Run the Go source code static analysis tool vet to find any common errors.
make -C $GOPATH/src/github.com/madrisan/hashicorp-vault-monitor vet
This command is available with hashicorp-vault-monitor version > 0.8.2.