Why you shouldn't use Hashicorp Vault with Zabbix

zabbix-vault-test.sh

# Using Hashicorp Vault with Zabbix is not a very good idea
# https://www.zabbix.com/documentation/6.0/en/manual/config/secrets

mkdir /tmp/zabbix-vault-test
cd /tmp/zabbix-vault-test
git clone [email protected]:paalbra/zabbix-simple.git
cd zabbix-simple
echo 'diff --git a/docker-compose.yml b/docker-compose.yml
index 550ef48..c3dd95f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -26,9 +26,21 @@ services:
     image: "docker.io/zabbix/zabbix-server-pgsql:${TAG:?Need env: TAG}"
     depends_on:
       - "db"
+      - "vault"
     environment:
       - "DB_SERVER_HOST=db"
       - "POSTGRES_DB=zabbix"
       - "POSTGRES_PASSWORD=${ZABBIX_PASSWORD:?Need env: ZABBIX_PASSWORD}"
       - "POSTGRES_USER=zabbix"
+      - "ZBX_VAULTDBPATH=secret/zabbix/db"
+      - "ZBX_VAULTURL=http://vault:8200"
+      - "VAULT_TOKEN=myroot"
+    ports:
+      - "10051:10051"

+  vault:
+    image: "docker.io/library/vault"
+    environment:
+      - "VAULT_DEV_ROOT_TOKEN_ID=myroot"
+    ports:
+      - "8200:8200"' | git apply
curl --silent https://releases.hashicorp.com/vault/1.9.4/vault_1.9.4_linux_amd64.zip -o vault_1.9.4_linux_amd64.zip
unzip vault_1.9.4_linux_amd64.zip

TAG=latest ZABBIX_PASSWORD=something podman-compose up -d
VAULT_ROOT_TOKEN="myroot"
VAULT_TOKEN="$VAULT_ROOT_TOKEN" VAULT_ADDR="http://127.0.0.1:8200" ./vault kv put secret/zabbix/foo secret="YOU SHOULD NOT SEE THIS $(date --iso-8601=s)"
VAULT_TOKEN="$VAULT_ROOT_TOKEN" VAULT_ADDR="http://127.0.0.1:8200" ./vault kv put secret/zabbix/db username=zabbix password=something

while curl --silent -H "content-type: application/json" --data '{"jsonrpc":"2.0","method":"apiinfo.version","params":[],"id":1}' http://127.0.0.1:8080/api_jsonrpc.php | jq --exit-status --raw-output '.error' > /dev/null; do
    echo "Waiting for Zabbix to initialize. Sleeping..."
    sleep 5
done

echo "Zabbix ready."

ZABBIX_AUTH=$(curl --silent -H "content-type: application/json" --data '{"jsonrpc":"2.0","method":"user.login","params":{"username":"Admin","password":"zabbix"},"id":1}' http://127.0.0.1:8080/api_jsonrpc.php | jq --raw-output '.result')
ZABBIX_HOST_ID=$(curl --silent -H "content-type: application/json" --data "{\"jsonrpc\":\"2.0\",\"method\":\"host.create\",\"params\":{\"host\":\"test\",\"groups\":[{\"groupid\":\"1\"}],\"macros\":[{\"macro\":\"{\$SECRET}\",\"type\":2,\"value\":\"secret/zabbix/foo:secret\"}]},\"auth\":\"$ZABBIX_AUTH\",\"id\":1}" http://127.0.0.1:8080/api_jsonrpc.php | jq --raw-output '.result.hostids[0]')
curl --silent -H "content-type: application/json" --data "{\"jsonrpc\":\"2.0\",\"method\":\"item.create\",\"params\":{\"name\":\"test\",\"key_\":\"vfs.fs.contents[{\$SECRET}]\",\"hostid\":\"$ZABBIX_HOST_ID\",\"type\":7,\"value_type\":4,\"delay\":\"1h\"},\"auth\":\"$ZABBIX_AUTH\",\"id\":1}" http://127.0.0.1:8080/api_jsonrpc.php > /dev/null

echo "Host and item created."

curl --silent https://raw.githubusercontent.com/paalbra/zabbix-protocol/master/zabbix_proto.py -o zabbix_proto.py
while ! echo '{"request": "active checks", "host": "test"}' | python3 zabbix_proto.py 127.0.0.1 10051 10 | jq --exit-status '.data[0]' > /dev/null; do
    echo "Waiting for the item to become available. Sleeping..."
    sleep 5
done

echo '{"request": "active checks", "host": "test"}' | python3 zabbix_proto.py 127.0.0.1 10051 10 | jq --exit-status '.data[0]'

# Will eventually output something like:
# {
#   "key": "vfs.fs.contents[YOU SHOULD NOT SEE THIS 2022-03-18T20:51:41+01:00]",
#   "key_orig": "vfs.fs.contents[{$SECRET}]",
#   "delay": 3600,
#   "lastlogsize": 0,
#   "mtime": 0
# }

TAG=latest ZABBIX_PASSWORD=something podman-compose down