HashiDays One conference. Three cities. Find a city near you
Vault
Vault Home

You are viewing documentation for version v1.11.x. View latest version.

Duo MFA

This page demonstrates the Duo MFA on ACL'd paths of Vault.

Configuration

  1. Enable the appropriate auth method:

    $ vault auth enable userpass

  2. Fetch the mount accessor for the enabled auth method:

    $ vault auth list -detailed

    The response will look like:

    Path         Type        Accessor                  Plugin    Default TTL    Max TTL    Replication    Description----         ----        --------                  ------    -----------    -------    -----------    -----------token/       token       auth_token_289703e9       n/a       system         system     replicated     token based credentialsuserpass/    userpass    auth_userpass_54b8e339    n/a       system         system     replicated     n/a

  3. Configure Duo MFA:

    $ vault write sys/mfa/method/duo/my_duo \    mount_accessor=auth_userpass_54b8e339 \    integration_key=BIACEUEAXI20BNWTEYXT \    secret_key=HIGTHtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz \    api_hostname=api-2b5c39f5.duosecurity.com

  4. Create a policy that gives access to secret through the MFA method created above:

    $ vault policy write duo-policy -<<EOFpath "secret/foo" {  capabilities = ["read"]  mfa_methods  = ["my_duo"]}EOF

  5. Create a user. MFA works only for tokens that have identity information on them. Tokens created by logging in using auth methods will have the associated identity information. Create a user in the userpass auth method and authenticate against it:

    $ vault write auth/userpass/users/testuser \    password=testpassword \    policies=duo-policy

  6. Create a login token:

    $ vault write auth/userpass/login/testuser \    password=testpasswordKey                    Value---                    -----token                  70f97438-e174-c03c-40fe-6bcdc1028d6ctoken_accessor         a91d97f4-1c7d-6af3-e4bf-971f74f9fab9token_duration         768htoken_renewable        truetoken_policies         [default duo-policy]token_meta_username    "testuser"

    Note that the CLI is not authenticated with the newly created token yet, we did not call vault login, instead we used the login API to simply return a token.

  7. Fetch the entity ID from the token. The caller identity is represented by the entity_id property of the token:

    $ vault token lookup 70f97438-e174-c03c-40fe-6bcdc1028d6cKey                 Value---                 -----accessor            a91d97f4-1c7d-6af3-e4bf-971f74f9fab9creation_time       1502245243creation_ttl        2764800display_name        userpass-testuserentity_id           307d6c16-6f5c-4ae7-46a9-2d153ffcbc63expire_time         2017-09-09T22:20:43.448543132-04:00explicit_max_ttl    0id                  70f97438-e174-c03c-40fe-6bcdc1028d6cissue_time          2017-08-08T22:20:43.448543003-04:00meta                map[username:testuser]num_uses            0orphan              truepath                auth/userpass/login/testuserpolicies            [default duo-policy]renewable           truettl                 2764623

  8. Login as the user:

    $ vault login 70f97438-e174-c03c-40fe-6bcdc1028d6c

  9. Read a secret to trigger a Duo push. This will be a blocking call until the push notification is either approved or declined:

    $ vault read secret/fooKey                 Value---                 -----refresh_interval    768hdata                which can only be read after MFA validation