Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace: hashicorp_vault
hashicorp_vault

This is an old revision of the document!

Table of Contents

Hashicorp Vault

Установка и подключение

# docker run -d --name my-vault -p 8200:8200 hashicorp/vault:1.21.3

# docker logs my-vault
...
Unseal Key: P0NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN8=
Root Token: hMMMMMMMMMMMMMMMMMMMMMMMMMV
...
# docker exec -ti my-vault sh

/ # export VAULT_ADDR='http://127.0.0.1:8200'

/ # vault status

/ # vault login token=hMMMMMMMMMMMMMMMMMMMMMMMMMV

/ # vault secrets list

/ # ###rm ~/.vault-token

KV secrets engine

/ # vault secrets list

/ # vault kv put secret/ansible/openvpn1 \
username=student \
password=password

/ # vault kv list secret/ansible/
Keys
----
openvpn1

/ # vault kv get secret/ansible/openvpn1
======== Secret Path ========
secret/data/ansible/openvpn1
...
version            1
...


/ # ###vault kv delete secret/ansible/openvpn1

Transit secrets engine

/ # vault secrets enable transit

/ # vault write transit/keys/ansible-openvpn1 type=rsa-4096

/ # vault list transit/keys/

/ # vault read transit/keys/ansible-openvpn1

/ # vault write transit/encrypt/ansible-openvpn1 plaintext="$(echo Hello World | base64)"

/ # vault write transit/decrypt/ansible-openvpn1 ciphertext="vault:v1:letsK..."

/ # echo SGVsbG8gV29ybGQK | base64 -d
/ # vault write transit/keys/webd-k8s type=rsa-4096

/ # vault write transit/keys/my-pgcluster type=rsa-4096

Vault policy

/ # vault policy write ansible-openvpn1 - <<EOF
path "/secret/data/ansible/openvpn1" {
  capabilities = [ "read" ]
}
path "/transit/encrypt/ansible-openvpn1" {
  capabilities = ["update"]
}
path "/transit/decrypt/ansible-openvpn1" {
  capabilities = ["update"]
}
EOF
/ # vault policy list

/ # vault policy read ansible-openvpn1

/ # ###vault policy delete ansible-openvpn1
/ # vault policy write webd-k8s - <<EOF
path "/transit/encrypt/webd-k8s" {
  capabilities = ["update"]
}
path "/transit/decrypt/webd-k8s" {
  capabilities = ["update"]
}
EOF

Vault token

/ # vault token create -policy="ansible-openvpn1"
Key                  Value
---                  -----
token                hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKU
token_accessor       vPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPp
...

/ # vault list auth/token/accessors

/ # vault token lookup -accessor vPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPp

/ # ###vault token revoke -accessor vPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPp

# VAULT_ADDR='http://server.corpX.un:8200'
#  VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKU

# curl --header "X-Vault-Token: $VAULT_TOKEN" \
  --request GET \
  "$VAULT_ADDR/v1/secret/data/ansible/openvpn1" | jq

Vault auth token role

/ # vault write auth/token/roles/ansible-openvpn1-role allowed_policies=ansible-openvpn1 bound_cidrs="192.168.X.10" #period=32d

/ # vault list auth/token/roles/

/ # vault read auth/token/roles/ansible-openvpn1-role

/ # vault token create -role=ansible-openvpn1-role 
Key                  Value 
---                  -----
token                hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk
token_accessor       sPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPU

server|gate# VAULT_ADDR='http://server.corpX.un:8200'
server|gate#  VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk
server|gate#  export VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk

/ # vault write auth/token/roles/ansible-openvpn1-role allowed_policies=ansible-openvpn1 bound_cidrs="192.168.X.0/24"

/ # vault token lookup -accessor sPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPU
...
bound_cidrs         [192.168.X.10]
...
/ # vault write auth/token/roles/webd-k8s allowed_policies=webd-k8s bound_cidrs="192.168.X.0/24"

/ # vault token create -role=webd-k8s

Vault auth approle

/ # vault auth list

/ # vault auth enable approle

/ # vault write auth/approle/role/ansible-openvpn1-role \
  token_policies="ansible-openvpn1" \
  secret_id_bound_cidrs="192.168.X.10","127.0.0.0/8" \
  token_bound_cidrs="192.168.X.10","127.0.0.0/8" \
  policies="ansible-openvpn1"
  
/ # vault list auth/approle/role
  
/ # vault read auth/approle/role/ansible-openvpn1-role
...

/ # vault read auth/approle/role/ansible-openvpn1-role/role-id
Key        Value
---        -----
role_id    fUUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD0

/ # vault write -force auth/approle/role/ansible-openvpn1-role/secret-id
Key                   Value
---                   -----
secret_id             1UUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD2
secret_id_accessor    cUUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDDc
secret_id_num_uses    0
secret_id_ttl         0s

/ # vault write auth/approle/login role_id="fUUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD0" secret_id="
1UUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD2"
Key                     Value
---                     -----
token                   hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKE
token_accessor          iPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPy
token_duration          768h
token_renewable         true
token_policies          ["ansible-openvpn1" "default"]
identity_policies       []
policies                ["ansible-openvpn1" "default"]
token_meta_role_name    ansible-openvpn1-role

server|gate# VAULT_ADDR='http://server.corpX.un:8200'
server|gate#  VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKE
hashicorp_vault.1770977303.txt.gz · Last modified: 2026/02/13 13:08 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki