Vault SSH Host Key Renewal Tool
Vault SSH Renewal Tool
vault-ssh-renew automates the process of renewing SSH host certificates issued by
HashiCorp Vault. It will check whether a certificate
is installed on the host, and whether it expires in the near future. Only then will it
request Vault to issue a new certificate.
Please note that
vault-ssh-renew does not take care of renewing the Vault token itself or of re-configuring your SSH server software to actually present the certificate. Please refer to the
Vault documentation on how to achieve this.
pip install vault-ssh-renew
On Debian Buster, Ubuntu 18.04, and 20.04, you can install vault-ssh-renew from packages:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv AF0E925C4504784BF4E0FFF0C90E4BD2B36E75B9 echo "deb https://dl.bintray.com/glaux/production $(lsb_release -s -c) main" | sudo tee -a /etc/apt/sources.list.d/vault-ssh-renew.list sudo apt-get update sudo apt-get install vault-ssh-renew
The package will also install a daily timer to run vault-ssh-renew. If you are installing interactively,
you will also be asked supply all the required configuration parameters, which will be written
/etc/default/vault-ssh-renew and can be edited there.
You may also run the tool using a Docker container:
docker run -ti -v/etc/ssh:/etc/ssh \ -e VAULT_TOKEN=**** \ -e VAULT_ADDR=http://127.0.0.1:8200 \ -e VAULT_SSH_SIGN_PATH=ssh/sign/host \ glaux/vault-ssh-renew
For every release, there also exists a corresponding tag suffixed with
runs the tools as a periodic cron job.
Configuration can be achieved using the following environment variables.
||URL||Address under which Vault can be reached.||http://127.0.0.1:8200|
||String||Token for authentication against Vault.|
||String||The path to read the Vault token from.|
||String||The path to the SSH public key.||
||String||The path to the SSH host certificate.||
||String||The path to the signing endpoint, usually ⟨secret mountpoint⟩/sign/⟨role name⟩.|
||List of Strings||A space separated list of principals to request in the certificate||Host's FQDN|
||Integer||When the certificate is valid for less then this many days, renew it.||7|
kubernetes/ in the source distribution contains a set of resources that can serve as a template to deploy vault-ssh-renew across your Kubernetes cluster. You'll need to:
secret.yamlto supply your Vault token
- add the correct Vault address and signing path to
- optionally change the version in
daemonset.yamlto something other than
kubectl apply -f kubernetes/*.yaml
Release history Release notifications | RSS feed
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
|Filename, size||File type||Python version||Upload date||Hashes|
|Filename, size vault_ssh_renew-0.2.0-py3-none-any.whl (9.8 kB)||File type Wheel||Python version py3||Upload date||Hashes View|
|Filename, size vault-ssh-renew-0.2.0.tar.gz (9.5 kB)||File type Source||Python version None||Upload date||Hashes View|
Hashes for vault_ssh_renew-0.2.0-py3-none-any.whl