Hashicorp Vault
Установка и подключение
# docker run -d --name my-vault -p 8200:8200 hashicorp/vault:1.21.3
# docker logs my-vault
...
Unseal Key: P0NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN8=
Root Token: hMMMMMMMMMMMMMMMMMMMMMMMMMV
...
# docker exec -ti my-vault sh
/ # export VAULT_ADDR='http://127.0.0.1:8200'
/ # vault status
/ # vault login token=hMMMMMMMMMMMMMMMMMMMMMMMMMV
/ # vault secrets list
/ # ###rm ~/.vault-token
KV secrets engine
/ # vault secrets list
/ # vault kv put secret/ansible/openvpn1 \
username=vagrant \
password=strongpassword
/ # vault kv list secret/ansible/
Keys
----
openvpn1
/ # vault kv get secret/ansible/openvpn1
======== Secret Path ========
secret/data/ansible/openvpn1
...
version 1
...
/ # ###vault kv delete secret/ansible/openvpn1
Transit secrets engine
/ # vault secrets enable transit
/ # vault write transit/keys/ansible-openvpn1 type=rsa-4096
/ # vault list transit/keys/
/ # vault read transit/keys/ansible-openvpn1
/ # vault write transit/encrypt/ansible-openvpn1 plaintext="$(echo Hello World | base64)"
/ # vault write transit/decrypt/ansible-openvpn1 ciphertext="vault:v1:letsK..."
/ # echo SGVsbG8gV29ybGQK | base64 -d
/ # vault write transit/keys/my-pgcluster type=rsa-4096
/ # vault write transit/keys/my-keycloak type=rsa-4096
Vault policy
/ # vault policy write ansible-openvpn1 - <<EOF
path "/secret/data/ansible/openvpn1" {
capabilities = [ "read" ]
}
path "/transit/encrypt/ansible-openvpn1" {
capabilities = ["update"]
}
path "/transit/decrypt/ansible-openvpn1" {
capabilities = ["update"]
}
EOF
/ # vault policy list
/ # vault policy read ansible-openvpn1
/ # ###vault policy delete ansible-openvpn1
/ # vault policy write my-pgcluster - <<EOF
path "/transit/encrypt/my-pgcluster" {
capabilities = ["update"]
}
path "/transit/decrypt/my-pgcluster" {
capabilities = ["update"]
}
EOF
/ # vault policy write my-keycloak - <<EOF
path "/transit/encrypt/my-keycloak" {
capabilities = ["update"]
}
path "/transit/decrypt/my-keycloak" {
capabilities = ["update"]
}
EOF
Vault token
/ # vault token create -policy="ansible-openvpn1"
Key Value
--- -----
token hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKU
token_accessor vPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPp
...
/ # vault list auth/token/accessors
/ # vault token lookup -accessor vPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPp
/ # ###vault token revoke -accessor vPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPp
# VAULT_ADDR='http://server.corpX.un:8200'
# VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKU
# curl --header "X-Vault-Token: $VAULT_TOKEN" \
--request GET \
"$VAULT_ADDR/v1/secret/data/ansible/openvpn1" | jq
Vault auth token role
/ # vault write auth/token/roles/ansible-openvpn1-role allowed_policies=ansible-openvpn1 bound_cidrs="192.168.X.10" #period=32d
/ # vault list auth/token/roles/
/ # vault read auth/token/roles/ansible-openvpn1-role
/ # vault token create -role=ansible-openvpn1-role
Key Value
--- -----
token hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk
token_accessor sPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPU
server|gate# VAULT_ADDR='http://server.corpX.un:8200'
server|gate# VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk
/ # vault write auth/token/roles/ansible-openvpn1-role allowed_policies=ansible-openvpn1 bound_cidrs="192.168.X.0/24"
/ # vault token lookup -accessor sPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPU
...
bound_cidrs [192.168.X.10]
...
/ # vault write auth/token/roles/my-pgcluster allowed_policies=my-pgcluster bound_cidrs="192.168.X.10, 192.168.X.221"
/ # vault token create -role=my-pgcluster
/ # vault write auth/token/roles/my-keycloak allowed_policies=my-keycloak bound_cidrs="192.168.X.10, 192.168.X.221"
/ # vault token create -role=my-keycloak
Vault auth approle
/ # vault auth list
/ # vault auth enable approle
/ # vault write auth/approle/role/ansible-openvpn1-role \
token_policies="ansible-openvpn1" \
secret_id_bound_cidrs="192.168.X.10","127.0.0.0/8" \
token_bound_cidrs="192.168.X.10","127.0.0.0/8" \
policies="ansible-openvpn1"
/ # vault list auth/approle/role
/ # vault read auth/approle/role/ansible-openvpn1-role
...
/ # vault read auth/approle/role/ansible-openvpn1-role/role-id
Key Value
--- -----
role_id fUUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD0
/ # vault write -force auth/approle/role/ansible-openvpn1-role/secret-id
Key Value
--- -----
secret_id 1UUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD2
secret_id_accessor cUUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDDc
secret_id_num_uses 0
secret_id_ttl 0s
/ # vault write auth/approle/login role_id="fUUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD0" secret_id="
1UUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD2"
Key Value
--- -----
token hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKE
token_accessor iPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPy
token_duration 768h
token_renewable true
token_policies ["ansible-openvpn1" "default"]
identity_policies []
policies ["ansible-openvpn1" "default"]
token_meta_role_name ansible-openvpn1-role
server|gate# VAULT_ADDR='http://server.corpX.un:8200'
server|gate# VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKE