A HashiCorp Vault plugin for generating device authentication keys for Tailscale. Generated keys are single use.
- Download the binary for your architecture from the releases page
- Generate the SHA256 sum of the plugin binary
$ sha256sum vault-plugin-tailscale | cut -d ' ' -f1
d6ffe79b13326eb472af0b670c694f21f779d524068ad705a672a00f6d433724
- Add the plugin to your Vault plugin catalog
$ vault plugin register -sha256=d6ffe79b13326eb472af0b670c694f21f779d524068ad705a672a00f6d433724 secret vault-plugin-tailscale
Success! Registered plugin: vault-plugin-tailscale
- Enable the plugin
$ vault secrets enable -path=tailscale vault-plugin-tailscale
Success! Enabled the vault-plugin-tailscale secrets engine at: tailscale/
- Obtain an API key from the Tailscale admin dashboard.
- Create the Vault configuration for the Tailscale API
$ vault write tailscale/config tailnet=$TAILNET api_key=$API_KEY
Success! Data written to: tailscale/config
- Generate keys using the Vault CLI.
$ vault read tailscale/key
Key Value
--- -----
ephemeral false
expires 2022-04-30T00:32:36Z
id kMxzN47CNTRL
key secret-key-data
reusable false
tags <nil>