install, setting vault

FOR DOCKER

FOR PROCESS

INSTALL VAULT

#download vault 1.1.2
wget https://releases.hashicorp.com/vault/1.1.2/vault_1.1.2_linux_amd64.zip
mkdir /tools/vault
unzip vault_1.1.2_linux_amd64.zip -d /tools/vault

#setting vault path
cd ~
vim .bashrc
#>>>>>>>>>>>>>> editor start
export VAULT_HOME=/tools/vault
export PATH=${VAULT_HOME}:${PATH}
#<<<<<<<<<<<<<< editor end
source .bashrc

SETTING AFTER INSTALL

#verifying the installation
vault
#set vault autocomplete to bash
vault -autocomplete-install
exec $SHELL

DEV MODE

#run vault server dev mode
vault server -dev

#export VAULT_ADDR='http://127.0.0.1:8200'
#export VAULT_ROOT_TOKEN=''

DEPLOY VAULT

config.hcl

storage "file" {
  path = "/mnt/vault/data"
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = false
}

ui = true

vault ui url = http://host.domain.name:8200/ui

vault server -config=config.hcl
vault operator init
#>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Unseal Key 1: zmQlHaFap7yo/onSXDLGtzUQwz/cgNc3igd7dvSsPl9M
Unseal Key 2: 0R1XXjz2szSJW3q05eapTs2ST6npYsHROHEr0l1aMyez
Unseal Key 3: 5YwtvQcIP+VzX/TMkb0UDSaw+R9ZDftx3eDAmHn7Tn8Q
Unseal Key 4: 45mBEZsh4dC71EUq2SXgC7owz3NFx04cqaQEMlDp1Yqo
Unseal Key 5: HP18QROkknaL8ZAyMFfMZmBh/cxuKfUiq/Zx9nOlW8Bj

Initial Root Token: s.syVRoWESdXjZU0iaPDXROlEv
#<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
vault operator unseal
#>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Unseal Key (will be hidden):
#<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

초기에 vault 가 실행되거나 재기동이 되면 sealed 상태가 되어 사용할 수 없게 된다. 이때 사용할 수 있는 명령은 status, operator init 뿐인듯. unseal key 5개 중 아무거나 3개로 unseal 하여 사용하자.

USEAGE

my-policy.hcl

# Normal servers have version 1 of KV mounted by default, so will need these
# paths:
path "secret/*" {
  capabilities = ["create"]
}
path "secret/foo" {
  capabilities = ["read"]
}

# Dev servers have version 2 of KV mounted by default, so will need these
# paths:
  path "secret/data/*" {
  capabilities = ["create"]
}
path "secret/data/foo" {
  capabilities = ["read"]
}

vault status

vault login [VAULT TOKEN]
#-method=github
#token=[GITHUB TOKEN]

vault token create
#-policy=[POLICY NAME] ...
vault token revoke [VAULT TOKEN]

vault auth enable -path=github github
vault write auth/github/config organization=[GITHUB ORG NAME]
#create github personal access tokens with read:org (https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line)

vault policy fmt my-policy.hcl #format check
vault policy write my-policy my-policy.hcl
vault policy list
vault policy read my-policy
vault policy read -format=json [POLICY NAME]

vault token revoke -mode path auth/github
vault auth disable github

vault secrets enable -path=secret generic

vault kv put secret/hello foo=world
vault kv get secret/hello
vault kv get -field=foo secret/hello
vault kv get -format=json secret/hello | jq -r .data.data.foo
vault kv delete secret/hello

vault secrets enable -path=newsecret kv
vault secrets list
vault write newsecret/my-secret value="s3c(eT"
vault write newsecret/hello target=world
vault write newsecret/airplane type=boeing class=787
vault secrets disable newsecret

#https://www.vaultproject.io/docs/secrets/databases/mysql-maria.html
vault secrets enable database
vault write database/config/[DATABASE NAME]
  plugin_name=mysql-database-plugin
  username="[USERNAME]"
  password="[PASSWORD]"
  connection_url="{{username}}:{{password}}@tcp([DB IP]:[DB PORT])/"
  allowed_roles="my-role"
vault write database/roles/my-role
  db_name=[DATABASE NAME]
  creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"
  default_ttl="1h"
  max_ttl="24h"
vault read database/creds/my-role

Previousinstall, setting maven Nextupgrade docker to docker-ce

Last updated 6 years ago

Was this helpful?

#download vault 1.1.2 wget https://releases.hashicorp.com/vault/1.1.2/vault_1.1.2_linux_amd64.zip mkdir /tools/vault unzip vault_1.1.2_linux_amd64.zip -d /tools/vault #setting vault path cd ~ vim .bashrc #>>>>>>>>>>>>>> editor start export VAULT_HOME=/tools/vault export PATH=${VAULT_HOME}:${PATH} #<<<<<<<<<<<<<< editor end source .bashrc

vault server -config=config.hcl vault operator init #>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Unseal Key 1: zmQlHaFap7yo/onSXDLGtzUQwz/cgNc3igd7dvSsPl9M Unseal Key 2: 0R1XXjz2szSJW3q05eapTs2ST6npYsHROHEr0l1aMyez Unseal Key 3: 5YwtvQcIP+VzX/TMkb0UDSaw+R9ZDftx3eDAmHn7Tn8Q Unseal Key 4: 45mBEZsh4dC71EUq2SXgC7owz3NFx04cqaQEMlDp1Yqo Unseal Key 5: HP18QROkknaL8ZAyMFfMZmBh/cxuKfUiq/Zx9nOlW8Bj Initial Root Token: s.syVRoWESdXjZU0iaPDXROlEv #<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< vault operator unseal #>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Unseal Key (will be hidden): #<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

# Normal servers have version 1 of KV mounted by default, so will need these # paths: path "secret/*" { capabilities = ["create"] } path "secret/foo" { capabilities = ["read"] } # Dev servers have version 2 of KV mounted by default, so will need these # paths: path "secret/data/*" { capabilities = ["create"] } path "secret/data/foo" { capabilities = ["read"] }

vault status vault login [VAULT TOKEN] #-method=github #token=[GITHUB TOKEN] vault token create #-policy=[POLICY NAME] ... vault token revoke [VAULT TOKEN] vault auth enable -path=github github vault write auth/github/config organization=[GITHUB ORG NAME] #create github personal access tokens with read:org (https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) vault policy fmt my-policy.hcl #format check vault policy write my-policy my-policy.hcl vault policy list vault policy read my-policy vault policy read -format=json [POLICY NAME] vault token revoke -mode path auth/github vault auth disable github vault secrets enable -path=secret generic vault kv put secret/hello foo=world vault kv get secret/hello vault kv get -field=foo secret/hello vault kv get -format=json secret/hello | jq -r .data.data.foo vault kv delete secret/hello vault secrets enable -path=newsecret kv vault secrets list vault write newsecret/my-secret value="s3c(eT" vault write newsecret/hello target=world vault write newsecret/airplane type=boeing class=787 vault secrets disable newsecret #https://www.vaultproject.io/docs/secrets/databases/mysql-maria.html vault secrets enable database vault write database/config/[DATABASE NAME] plugin_name=mysql-database-plugin username="[USERNAME]" password="[PASSWORD]" connection_url="{{username}}:{{password}}@tcp([DB IP]:[DB PORT])/" allowed_roles="my-role" vault write database/roles/my-role db_name=[DATABASE NAME] creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" default_ttl="1h" max_ttl="24h" vault read database/creds/my-role