vault plugin secrets qdrant
v0.1.0
vault-plugin-secrets-qdrant is a Hashicorp Vault plugin that extends Vault with a secrets engine for Qdrant for JWT auth.
It is capable of generating Qdrant credentials/JWT signed tokens with granular access control.
The roles are stored in Vault and can be revoked at any time.
The generated JWT tokens are ephemeral and stateless; they are not stored in a vault but can be bound to roles and invalidated when the role is deleted.
The plugin is also able to create/update/delete roles data to a Qdrant servers
The Qdrant secrets engine generates JWT credentials dynamically.
The plugin supports several resources, including: config, role and jwt.
Please read the official Qdrant documentation to understand the concepts of token and access as well as the authentication process.
A hand full of resources can be defined within the vault plugin:
The resource of type config represent database instance configuration for secrets.
| Entity path | Description | Operations |
|---|---|---|
| qdrant/config | List instances | list |
| qdrant/config/ | Manage instance config | write, read, delete |
The resource of type role represent database roles configuration for secrets.
| Entity path | Description | Operations |
|---|---|---|
| qdrant/role/ | List roles for | list |
| qdrant/role// | Manage instance role config | write, read, delete |
The resource of type jwt represent database JWT tokens.
| Entity path | Description | Operations |
|---|---|---|
| qdrant/jwt// | Generate token for role | read |
There are arguments that can be passed to the paths for config/ (database instance), role/.
| Key | Type | Required | Example | Description |
|---|---|---|---|---|
| url | bool | true | qdrant:6334 | URL address of Qdrant instance (grpc protocol) |
| sig_key | string | true | secret-key | Secret key to sign and verify(API-KEY server) tokens. |
| sig_alg | string | true | HS256 | Algorithm to decode the tokens. |
| jwt_ttl | string | true | 300s | Default TTL for instance tokens (can be overwritten in roles) |
| tls | bool | false | true | If set to true - vault will open tls grpc connection to Qdrant |
| ca | string | false | eyJhbGc... | Base64 encoded custom CA cert for TLS |
Note: When you delete an instance configuration, all associated roles will be automatically deleted from the Qdrant instance.
| Key | Type | Required | Example | Description |
|---|---|---|---|---|
| jwt_ttl | string | false | 300s | TTL for instance tokens |
| claims | json | true | Access and filters attributes (see Qdrant doc) |
Note: Vault roles sync with Qdrant instance collection sys_roles automatically
claims example
{
"claims":{
"value_exists": {
"collection": "sys_roles",
"matches": [
{ "key": "role", "value": "write2" }
]
},
"access": [
{
"collection": "my_collection",
"access": "r"
}
]
}
}
In order to use this plugin you need to register it with Vault.
Configure your vault server to have a valid plugins_directory configuration.
Note: you might want to set api_addr to your listening address and disable_mlock to true in the vault configuration to be able to use the plugin.
Download the latest stable release from the release page and put it into the plugins_directory of your vault server.
To use a vault plugin you need the plugin's sha256 sum.
Example how to register the plugin:
SHA256SUM=$(sha256sum vault-plugin-secrets-qdrant | cut -d' ' -f1)
vault plugin register -sha256 ${SHA256SUM} secret vault-plugin-secrets-qdrant
vault secrets enable -path=qdrant vault-plugin-secrets-qdrantNote: you might use the -tls-skip-verify flag if you are using a self-signed certificate.
$ make $ make setup-env$ make tests$ make e2e$ make teardown-env$ make cleanCode contributions are very much welcome.
git checkout -b AmazingFeature)git push origin AmazingFeature)main branch.
