A HashiCorp Vault plugin for generating device authentication keys for Tailscale. Generated keys are single use.
- Download the binary for your architecture from the releases page
- Generate the SHA256 sum of the plugin binary
$ sha256sum vault-plugin-tailscale | cut -d ' ' -f1
d6ffe79b13326eb472af0b670c694f21f779d524068ad705a672a00f6d433724- Add the plugin to your Vault plugin catalog
$ vault plugin register -sha256=d6ffe79b13326eb472af0b670c694f21f779d524068ad705a672a00f6d433724 secret vault-plugin-tailscale
Success! Registered plugin: vault-plugin-tailscale- Enable the plugin
$ vault secrets enable -path=tailscale vault-plugin-tailscale
Success! Enabled the vault-plugin-tailscale secrets engine at: tailscale/- Obtain an API key from the Tailscale admin dashboard.
- Create the Vault configuration for the Tailscale API
$ vault write tailscale/config tailnet=$TAILNET api_key=$API_KEY
Success! Data written to: tailscale/config- Generate keys using the Vault CLI.
$ vault read tailscale/key
Key Value
--- -----
ephemeral false
expires 2022-04-30T00:32:36Z
id kMxzN47CNTRL
key secret-key-data
reusable false
tags <nil>The following key/value pairs can be added to the end of the vault read command to configure key properties:
Tags to apply to the device that uses the authentication key
vault read tailscale/key tags=something:somewhere
If true, machines added to the tailnet with this key will not required authorization
vault read tailscale/key preauthorized=true
If true, nodes created with this key will be removed after a period of inactivity or when they disconnect from the Tailnet
vault read tailscale/key ephemeral=true