package module
Version: v1.1.5 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jul 9, 2020 License: MIT Imports: 33 Imported by: 0



Build Status

Vault-Gatekeeper is a small service for delivering Vault token to other services who's lifecycles are managed by a container scheduler such as Mesos or ECS.

Vault-Gatekeeper takes the Cubbyhole Authenication approach outlined by Jeff Mitchell on Vault Blog. Specifically Vault response wrapping is used as outlined in the Vault documentation.

In short, a service will request a vault token from VG supplying its Mesos task id or ECS task arn. VG will then check with Mesos/ECS to ensure that the task has been recently started and that VG has not already issued a token for that task id. Then VG will check its configuration to understand what role that task is assigned and request a response wrapped token from Vault. VG will then pass the token to the service which can then unwrap the response with /sys/wrapping/unwrap to retrieve the token.


  • Vault 0.6.2+
  • Mesos 1.0.0+ (if using Mesos)




This guide assumes that you 1.) have a Vault instance running, 2.) have a Mesos instance running and 3.) have an approle policy in Vault named test.

  1. Install a sample policy in Vault
$ echo '{"mesos:*":{"roles":["test"],"num_uses":1}}' | ./gatekeeper policy update --vault-token 'MY_TOKEN' '-'
  1. Start a Gatekeeper instance
$ ./gatekeeper server --mesos-master 'http://leader.mesos:5050' --vault-addr http://localhost:8200
  1. Unseal the Gatekeeper instance with a token. (The token must have at least the policy defined in gatekeeper-policy.hcl).
$ ./gatekeeper unseal token --vault-token 'GK_TOKEN'
  1. Launch a task on mesos and retrieve a token:
$ curl -X POST -d"{\"task_id\":\"${MESOS_TASK_ID}\"}" 'http://gatekeeper-host/token'


You can grab a binary from the releases or deploy the docker image nemosupremo/vault-gatekeeper.






This section is empty.


View Source
var ErrHostMismatch = errors.New("The service's remote address requesting this token does not match the host of the service running this task.")
View Source
var ErrMaxTokensGiven = errors.New("Maximum number of tokens given to this task.")
View Source
var ErrNoPolicy = errors.New("Your task doesn't match any configured policy.")
View Source
var ErrNoPolicyConfigured = errors.New("No policies have been configured.")
View Source
var ErrNoSuchRole = errors.New("The role requested does not exist.")
View Source
var ErrRoleMismatch = errors.New("Your task does not have permission to use this role.")
View Source
var ErrSealed = errors.New("Gatekeeper is sealed.")
View Source
var ErrTaskNotFresh = errors.New("This task has been running too long to request a token.")


func GetLog

func GetLog(r *http.Request) logrus.FieldLogger

func ListenAndServeTLS

func ListenAndServeTLS(addr, certFile, keyFile string, handler http.Handler) error

This works just like http.ListenAndServeTLS but certificates are loaded into a wrapper struct that reloads certificates from disk when a SIGHUP is received.

func LogEntrySetField

func LogEntrySetField(r *http.Request, key string, value interface{})

func LogEntrySetFields

func LogEntrySetFields(r *http.Request, fields map[string]interface{})

func NewKeypairReloader

func NewKeypairReloader(certFile, keyFile string) (*keypairReloader, error)

func NewLogger

func NewLogger(logger *logrus.Logger) func(next http.Handler) http.Handler


type Config

type Config struct {
	ListenAddress    string
	TlsCert          string
	TlsKey           string
	DefaultScheduler string
	Schedulers       []string
	Store            string
	StoreVaultPath   string
	Peers            string
	HostCheck        bool
	UseImageNames    bool

	Vault struct {
		Address      string
		CaCert       string
		CaPath       string
		ClientCert   string
		ClientKey    string
		Insecure     bool
		KvVersion    string
		AppRoleMount string

	Metrics struct {
		Ticker time.Duration
		Statsd struct {
			Host    string
			Prefix  string
			Influx  bool
			Datadog bool

	PolicyPath  string
	MaxTaskLife time.Duration

	Unsealer unsealer.Unsealer

	Version string

	SkipPolicyLoading bool

	Backoff *backoff.ExponentialBackOff

type Gatekeeper

type Gatekeeper struct {
	Store      usagestore.UsageStore
	Schedulers map[string]scheduler.Scheduler
	Policies   *policy.Policies `json:"-"`
	Stats      struct {
		Requests   int32 `json:"requests"`
		Successful int32 `json:"successful"`
		Denied     int32 `json:"denied"`
		Failed     int32 `json:"failed"`
	} `json:"stats"`
	Started time.Time `json:"started"`
	Token   string    `json:"-"`

	PeerId string `json:"peer_id"`

	// contains filtered or unexported fields

func NewGatekeeper

func NewGatekeeper(conf Config) (*Gatekeeper, error)

func (*Gatekeeper) ErrorResponse

func (g *Gatekeeper) ErrorResponse(w http.ResponseWriter, code int, err string)

func (*Gatekeeper) GetPolicyConfig

func (g *Gatekeeper) GetPolicyConfig() ([]byte, error)

func (*Gatekeeper) GetRoleId

func (g *Gatekeeper) GetRoleId(roleName string, authToken string) (string, error)

func (*Gatekeeper) GetSecretId

func (g *Gatekeeper) GetSecretId(roleName string, authToken string) (string, error)

func (*Gatekeeper) IsUnsealed

func (g *Gatekeeper) IsUnsealed() bool

func (*Gatekeeper) LoadPeers

func (g *Gatekeeper) LoadPeers(myId string, startup bool) ([]peer, error)

func (*Gatekeeper) NewMetrics

func (g *Gatekeeper) NewMetrics(conf Config) (*metrics, error)

func (*Gatekeeper) OkResponse

func (g *Gatekeeper) OkResponse(w http.ResponseWriter, message string)

func (*Gatekeeper) Peers

func (g *Gatekeeper) Peers() []peer

func (*Gatekeeper) RenewToken

func (g *Gatekeeper) RenewToken() error

func (*Gatekeeper) RenewalWorker

func (g *Gatekeeper) RenewalWorker(controlChan chan struct{})

func (*Gatekeeper) RequestToken

func (g *Gatekeeper) RequestToken(providerKey string, taskId string, requestedRole string, remoteAddr string) (string, time.Duration, error)

func (*Gatekeeper) Routes

func (g *Gatekeeper) Routes() http.Handler

func (*Gatekeeper) Seal

func (g *Gatekeeper) Seal() error

func (*Gatekeeper) Serve

func (g *Gatekeeper) Serve() error

func (*Gatekeeper) TokenTtl

func (g *Gatekeeper) TokenTtl() (time.Duration, error)

func (*Gatekeeper) Unseal

func (g *Gatekeeper) Unseal(u unsealer.Unsealer) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL