Close
logodocs

Configure Vault to Use the strongDM HTTP Proxy

This guide will show you how to proxy HashiCorp Vault HTTP API and CLI traffic through strongDM.

Vault is a client/server application that lets you securely access, read, write, and store secret information, like API keys, database credentials, and passwords. When secrets are added to Vault, they are passed to secrets engines, which read and write the data to storage. The flow of requests, or traffic, to and from Vault is typically managed via the Vault HTTP API or CLI, but you can run all Vault commands and management through strongDM instead.

Using the strongDM HTTP proxy allows you to keep Vault internal to your network without having to expose it for external access, easily audit all commands run against Vault using strongDM as the proxy, and obfuscate the exact address of the server.

Prerequisites

To follow these instructions, you need to know your full Vault address and port, your subdomain in strongDM, and your Vault token (if using HTTP).

Instructions

We've outlined five different ways to set up Vault to use the strongDM HTTP proxy. Choose one: HTTP, HTTP Custom Auth, CLI for Vault HTTP API, Vault CLI with HTTP Custom Auth, or Vault CLI with HTTP.

Note the following:

  • CLI and curl obey the http_proxy and https_proxy variables.
  • Set https_proxy="127.0.0.1:65230" in the terminal session if you want to utilize functionality, but don't add it to your Bash profile.

HTTP

  1. In the strongDM Admin UI, click Websites.

  2. Click add website, and then set:

    • Display Name: Enter a name for the website.

    • Server Type: Select HTTP.

    • Base URL: Add your full Vault address, including port.

      • Example: https://vault.example.com:8200
    • HTTP Subdomain: Enter the subdomain that you want to use in strongDM.

      • Example: vault
  3. Click Create.

HTTP Custom Auth

  1. In the strongDM Admin UI, click Websites.

  2. Click add website, and then set:

    • Display Name: Enter a name for the website.

    • Server Type: Select HTTP Custom Auth.

    • Base URL: Add your full Vault address, including port.

      • Example: https://vault.example.com:8200
    • HTTP Subdomain: Enter the subdomain that you want to use in strongDM.

      • Example: vault
    • Authorization Header (path): Enter the token for Vault that you want to use, in this specific format: Bearer {TOKEN}

      • Example: Bearer 12aab3cd-e456-f7ga-h8ij-912345678912
  3. Click Create.

CLI for Vault HTTP API

  • For HTTP with a proxy, use the following command, being sure to replace {TOKEN} with your actual Vault token and {SUBDOMAIN} with your desired subdomain in strongDM (e.g., "vault").

    This command uses curl to set strongDM as a proxy, set a header with your bearer token to authorize access to Vault, and perform an HTTP GET request to access Vault secrets.

    curl --proxy "127.0.0.1:65230" -H "Authorization: Bearer {TOKEN}" -X GET https://{SUBDOMAIN}.sdm.network/v1/path/secret

    Example:

    curl --proxy "127.0.0.1:65230" -H "Authorization: Bearer 12aab3cd-e456-f7ga-h8ij-912345678912" -X GET https://vault.example.sdm.network/v1/path/secret

    In return, you’ll get a JSON payload similar to the following:

    {
    "request_id": "eebdb123-1a2b-01a1-1234-1abc2345d678",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 2764800,
    "data":{
    "password":"Thisisasecurepassword2021!",
    "username":"sdm"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
    }
  • For HTTP without a proxy, use the following command, being sure to replace {TOKEN} with your actual Vault token and {SUBDOMAIN} with your desired subdomain in strongDM (e.g., "vault").

    This command uses curl to set a header with your bearer token to authorize access to Vault, and perform an HTTP GET request to access Vault secrets.

    curl -H "Authorization: Bearer {TOKEN}" -X GET https://{SUBDOMAIN}.sdm.network/v1/path/secret

    Example:

    curl -H "Authorization: Bearer 12aab3cd-e456-f7ga-h8ij-912345678912" -X GET https://vault.example.sdm.network/v1/path/secret

    In return, you’ll get a JSON payload similar to the following:

    {
    "request_id": "eebdb123-1a2b-01a1-1234-1abc2345d678",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 2764800,
    "data":{
    "password":"Thisisasecurepassword2021!",
    "username":"sdm"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
    }
  • For HTTP Custom Auth with a proxy, use the following command, being sure to replace {SUBDOMAIN} with your desired subdomain in strongDM (e.g., "vault").

    This command uses curl to set strongDM as a proxy and perform an HTTP GET request to access Vault secrets:

    curl --proxy "127.0.0.1:65230" -X GET https://{SUBDOMAIN}.sdm.network/v1/path/secret`

    Example:

    curl --proxy "127.0.0.1:65230" -X GET https://vault.example.sdm.network/v1/path/secret

    In return, you’ll get a JSON payload similar to the following:

    {
    "request_id": "eebdb123-1a2b-01a1-1234-1abc2345d678",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 2764800,
    "data":{
    "password":"Thisisasecurepassword2021!",
    "username":"sdm"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
    }
  • For HTTP Custom Auth without proxy, use the following command, being sure to replace {SUBDOMAIN} with your desired subdomain in strongDM (e.g., "vault").

    This command uses curl to perform an HTTP GET request to access Vault secrets.

    curl -X GET https://{SUBDOMAIN}.sdm.network/v1/path/secret

    Example:

    curl -X GET https://vault.example.sdm.network/v1/path/secret

    In return, you’ll get a JSON payload similar to the following:

    {
    "request_id": "eebdb123-1a2b-01a1-1234-1abc2345d678",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 2764800,
    "data":{
    "password":"Thisisasecurepassword2021!",
    "username":"sdm"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
    }

Vault CLI with HTTP Custom Auth

  1. To use the Vault CLI with HTTP Custom Auth, use the following command to set the path to your Vault secrets, being sure to replace {SUBDOMAIN} with your desired subdomain in strongDM (e.g., "vault"):

    export VAULT_ADDR="https://{SUBDOMAIN}.sdm.network"

    Example:

    export VAULT_ADDR="https://vault.example.sdm.network"
  2. Run vault status to verify that it works:

    vault status

    The status check will show a response similar to the following:

    Key Value
    --- ---
    Seal Type shamir
    Initialized true
    Sealed false
    Total Shares 5
    Threshold 3
    Version 1.7.1
    Storage Type consul
    Cluster Name vault-cluster-12a345bc
    Cluster ID 1a2345c6-78d9-ef12-3gh4-5abc12345d6e
    HA Enabled true
    HA Cluster example-cluster
    HA Mode active
    Active Since 2021-05-04T18:53:45.8603209687

Vault CLI with HTTP

  1. In the Vault CLI, use the following command to set the path to your Vault secrets, being sure to replace {SUBDOMAIN} with your desired subdomain in strongDM (e.g., "vault"):

    export VAULT_ADDR="https://{SUBDOMAIN}.sdm.network"

    Example:

    export VAULT_ADDR="https://vault.example.sdm.network"
  2. Log in to Vault, using your Vault token:

    vault login token={TOKEN}

    Example:

    vault login token=12aab3cd-e456-f7ga-h8ij-912345678912
  3. Run vault status to verify that it works:

    vault status

    The status check will show a response similar to the following:

    Key Value
    --- ---
    Seal Type shamir
    Initialized true
    Sealed false
    Total Shares 5
    Threshold 3
    Version 1.7.1
    Storage Type consul
    Cluster Name vault-cluster-12a345bc
    Cluster ID 1a2345c6-78d9-ef12-3gh4-5abc12345d6e
    HA Enabled true
    HA Cluster example-cluster
    HA Mode active
    Active Since 2021-05-04T18:53:45.8603209687

Next Steps

Now that configuration is complete, you can run all Vault commands and management through strongDM.

Previous
Servers
Next
Websites