1 vault开启
vault server -dev(开发者模式)
vault server -config=config.hcl(生产环境启动方式)
其中config.hcl内容如下,本地安装配置mysql数据库,ui=true可以访问ui界面
disable_mlock = true
ui=true
storage "mysql" {
address = "127.0.0.1:3306"
username = "root"
password = "123456"
database = "vault"
table = "vault"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
2 vault_addr设置
另外启动一个控制台界面
windows环境:set VAULT_ADDR=http://127.0.0.1:8200
linux环境:export VAULT_ADDR=http://127.0.0.1:8200
3 vault初始化
vault operator init或者vault operator init -key-shares=5 -key-threshold=3
说明:
-key-shares:指定秘钥的总股数,
-key-threshold:指定需要几股可解锁
以上参数为默认,可不设置。
得到五个key(key1到key5),后续解封用
vault operator unseal key1
vault operator unseal key2
vault operator unseal key3
vault status查看状态,sealed为false表示解封了
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.2.3
Cluster Name vault-cluster-181def04
Cluster ID 32b31c01-4c2e-bfcf-e44c-0abc862d6156
HA Enabled false
4 用产生的token登陆
vault login XXX
5 数据库使用
vault secrets enable database
6 transit使用(在path=encryption)启动transit,不写-path=encryption则默认在transit路径下
vault secrets enable -path=encryption transit
7 写入数据库连接配置
plugin_name=mysql-database-plugin
connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/"
allowed_roles="my-role"
username="root"
password="123456"
vault write database/roles/my-role
db_name=my-mysql-database
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON *.* TO '{{name}}'@'%';"
default_ttl="1h"
max_ttl="24h"
9 配置文件,直接编写vault policy write my-policy my-policy.hcl没有成功,通过以下命令实现
# Normal servers have version 1 of KV mounted by default, so will need these
# paths:
path "secret/*" {
capabilities = ["create"]
}
path "secret/foo" {
capabilities = ["read"]
}
# paths:
path "secret/data/*" {
capabilities = ["create"]
}
path "secret/data/foo" {
capabilities = ["read"]
}
EOF
vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="{{username}}:{{password}}@tcp(30.16.104.43:3306)/" allowed_roles="*" username="root" password="123456"
vault write database/static-roles/education db_name=my-mysql-database rotation_statements=@rotation.sql username="vault-edu" rotation_period=86400
rotation.sql具体内容如下:
ALTER USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
4 读取education信息
vault read database/static-roles/education
5 新建一个策略app,并且写入vault策略中,分配对应的token
vault policy write app app.hcl
vault token create -policy="app"
6 用分配的token登录,查看对应的角色信息
VAULT_TOKEN=s.NN5Izfj9ok3VuZiaP9N9QJ1V vault read database/static-creds/education
设置vault角色
vault write database/roles/my-role
db_name=my-mysql-database
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON *.* TO '{{name}}'@'%';"
default_ttl="1h"
max_ttl="24h“
vault生产环境配置
https://learn.hashicorp.com/tutorials/vault/configure-vault
激活vault加密轮转密钥参考https://learn.hashicorp.com/tutorials/vault/eaas-transit
To rotate the encryption key, invoke the transit/keys/<key_ring_name>/rotate endpoint.
例如:vault write -f transit/keys/order/rotate
# List available auth method path "sys/auth" { capabilities = [ "read" ] } # Read default token configuration path "sys/auth/token/tune" { capabilities = [ "read", "sudo" ] } # Create and manage tokens (renew, lookup, revoke, etc.) path "auth/token/*" { capabilities = [ "create", "read", "update", "delete", "list", "sudo" ] } # For Advanced Features - list available secrets engines path "sys/mounts" { capabilities = [ "read" ] } # For Advanced Features - tune the database secrets engine TTL path "sys/mounts/database/tune" { capabilities = [ "update" ] }