a3dfde5cec
* conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
99 lines
3.4 KiB
Markdown
99 lines
3.4 KiB
Markdown
---
|
|
layout: "docs"
|
|
page_title: "RabbitMQ - Secrets Engines"
|
|
sidebar_title: "RabbitMQ"
|
|
sidebar_current: "docs-secrets-rabbitmq"
|
|
description: |-
|
|
The RabbitMQ secrets engine for Vault generates user credentials to access RabbitMQ.
|
|
---
|
|
|
|
# RabbitMQ Secrets Engine
|
|
|
|
The RabbitMQ secrets engine generates user credentials dynamically based on
|
|
configured permissions and virtual hosts. This means that services that need to
|
|
access a virtual host no longer need to hardcode credentials.
|
|
|
|
With every service accessing the messaging queue with unique credentials,
|
|
auditing is much easier when questionable data access is discovered. Easily
|
|
track issues down to a specific instance of a service based on the RabbitMQ
|
|
username.
|
|
|
|
Vault makes use both of its own internal revocation system as well as the
|
|
deleting RabbitMQ users when creating RabbitMQ users to ensure that users become
|
|
invalid within a reasonable time of the lease expiring.
|
|
|
|
## Setup
|
|
|
|
Most secrets engines must be configured in advance before they can perform their
|
|
functions. These steps are usually completed by an operator or configuration
|
|
management tool.
|
|
|
|
1. Enable the RabbitMQ secrets engine:
|
|
|
|
```text
|
|
$ vault secrets enable rabbitmq
|
|
Success! Enabled the rabbitmq secrets engine at: rabbitmq/
|
|
```
|
|
|
|
By default, the secrets engine will mount at the name of the engine. To
|
|
enable the secrets engine at a different path, use the `-path` argument.
|
|
|
|
1. Configure the credentials that Vault uses to communicate with RabbitMQ to
|
|
generate credentials:
|
|
|
|
```text
|
|
$ vault write rabbitmq/config/connection \
|
|
connection_uri="http://localhost:15672" \
|
|
username="admin" \
|
|
password="password"
|
|
Success! Data written to: rabbitmq/config/connection
|
|
```
|
|
|
|
It is important that the Vault user have the administrator privilege to
|
|
manager users.
|
|
|
|
|
|
1. Configure a role that maps a name in Vault to virtual host permissions:
|
|
|
|
```text
|
|
$ vault write rabbitmq/roles/my-role \
|
|
vhosts='{"/":{"write": ".*", "read": ".*"}}'
|
|
Success! Data written to: rabbitmq/roles/my-role
|
|
```
|
|
|
|
By writing to the `roles/my-role` path we are defining the `my-role` role.
|
|
This role will be created by evaluating the given `vhosts` and `tags`
|
|
statements. By default, no tags and no virtual hosts are assigned to a role.
|
|
You can read more about [RabbitMQ management tags][rmq-perms].
|
|
|
|
## Usage
|
|
|
|
After the secrets engine is configured and a user/machine has a Vault token with
|
|
the proper permission, it can generate credentials.
|
|
|
|
1. Generate a new credential by reading from the `/creds` endpoint with the name
|
|
of the role:
|
|
|
|
```text
|
|
$ vault read rabbitmq/creds/my-role
|
|
Key Value
|
|
--- -----
|
|
lease_id rabbitmq/creds/my-role/37d70d04-f24d-760a-e06e-b9b21087f0f4
|
|
lease_duration 768h
|
|
lease_renewable true
|
|
password a98af72b-b6c9-b4b1-fe37-c73a572befed
|
|
username token-590f1fe2-1094-a4d6-01a7-9d4ff756a085
|
|
```
|
|
|
|
Using ACLs, it is possible to restrict using the rabbitmq secrets engine
|
|
such that trusted operators can manage the role definitions, and both users
|
|
and applications are restricted in the credentials they are allowed to read.
|
|
|
|
## API
|
|
|
|
The RabbitMQ secrets engine has a full HTTP API. Please see the
|
|
[RabbitMQ secrets engine API](/api/secret/rabbitmq/index.html) for more
|
|
details.
|
|
|
|
[rmq-perms]: https://www.rabbitmq.com/management.html#permissions
|