User Tools
hashicorp_vault
This is an old revision of the document!
Table of Contents
Hashicorp Vault
Установка и подключение
# docker run -d --name my-vault -p 8200:8200 hashicorp/vault:1.21.3 # docker logs my-vault
... Unseal Key: P0NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN8= Root Token: hMMMMMMMMMMMMMMMMMMMMMMMMMV ...
# docker exec -ti my-vault sh / # export VAULT_ADDR='http://127.0.0.1:8200' / # vault status / # vault login token=hMMMMMMMMMMMMMMMMMMMMMMMMMV / # vault secrets list / # ###rm ~/.vault-token
KV secrets engine
/ # vault secrets list / # vault kv put secret/ansible/openvpn1 \ username=student \ password=password / # vault kv list secret/ansible/ Keys ---- openvpn1 / # vault kv get secret/ansible/openvpn1 ======== Secret Path ======== secret/data/ansible/openvpn1 ... version 1 ... / # ###vault kv delete secret/ansible/openvpn1
Transit secrets engine
/ # vault secrets enable transit / # vault write transit/keys/ansible-openvpn1 type=rsa-4096 / # vault list transit/keys/ / # vault read transit/keys/ansible-openvpn1 / # vault write transit/encrypt/ansible-openvpn1 plaintext="$(echo Hello World | base64)" / # vault write transit/decrypt/ansible-openvpn1 ciphertext="vault:v1:letsK..." / # echo SGVsbG8gV29ybGQK | base64 -d
/ # vault write transit/keys/webd-k8s type=rsa-4096 / # vault write transit/keys/my-pgcluster type=rsa-4096
Vault policy
/ # vault policy write ansible-openvpn1 - <<EOF
path "/secret/data/ansible/openvpn1" {
capabilities = [ "read" ]
}
path "/transit/encrypt/ansible-openvpn1" {
capabilities = ["update"]
}
path "/transit/decrypt/ansible-openvpn1" {
capabilities = ["update"]
}
EOF
/ # vault policy list / # vault policy read ansible-openvpn1 / # ###vault policy delete ansible-openvpn1
/ # vault policy write webd-k8s - <<EOF
path "/transit/encrypt/webd-k8s" {
capabilities = ["update"]
}
path "/transit/decrypt/webd-k8s" {
capabilities = ["update"]
}
EOF
/ # vault policy write my-pgcluster - <<EOF
path "/transit/encrypt/my-pgcluster" {
capabilities = ["update"]
}
path "/transit/decrypt/my-pgcluster" {
capabilities = ["update"]
}
EOF
/ # vault policy write my-keycloak - <<EOF
path "/transit/encrypt/my-keycloak" {
capabilities = ["update"]
}
path "/transit/decrypt/my-keycloak" {
capabilities = ["update"]
}
EOF
Vault token
/ # vault token create -policy="ansible-openvpn1" Key Value --- ----- token hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKU token_accessor vPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPp ... / # vault list auth/token/accessors / # vault token lookup -accessor vPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPp / # ###vault token revoke -accessor vPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPp # VAULT_ADDR='http://server.corpX.un:8200' # VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKU # curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request GET \ "$VAULT_ADDR/v1/secret/data/ansible/openvpn1" | jq
Vault auth token role
/ # vault write auth/token/roles/ansible-openvpn1-role allowed_policies=ansible-openvpn1 bound_cidrs="192.168.X.10" #period=32d / # vault list auth/token/roles/ / # vault read auth/token/roles/ansible-openvpn1-role / # vault token create -role=ansible-openvpn1-role Key Value --- ----- token hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk token_accessor sPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPU server|gate# VAULT_ADDR='http://server.corpX.un:8200' server|gate# VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk server|gate# export VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKk / # vault write auth/token/roles/ansible-openvpn1-role allowed_policies=ansible-openvpn1 bound_cidrs="192.168.X.0/24" / # vault token lookup -accessor sPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPU ... bound_cidrs [192.168.X.10] ...
/ # vault write auth/token/roles/webd-k8s allowed_policies=webd-k8s bound_cidrs="192.168.X.0/24" / # vault token create -role=webd-k8s
/ # vault write auth/token/roles/my-pgcluster allowed_policies=my-pgcluster bound_cidrs="192.168.X.10, 192.168.X.221" / # vault token create -role=my-pgcluster
Vault auth approle
/ # vault auth list / # vault auth enable approle / # vault write auth/approle/role/ansible-openvpn1-role \ token_policies="ansible-openvpn1" \ secret_id_bound_cidrs="192.168.X.10","127.0.0.0/8" \ token_bound_cidrs="192.168.X.10","127.0.0.0/8" \ policies="ansible-openvpn1" / # vault list auth/approle/role / # vault read auth/approle/role/ansible-openvpn1-role ... / # vault read auth/approle/role/ansible-openvpn1-role/role-id Key Value --- ----- role_id fUUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD0 / # vault write -force auth/approle/role/ansible-openvpn1-role/secret-id Key Value --- ----- secret_id 1UUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD2 secret_id_accessor cUUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDDc secret_id_num_uses 0 secret_id_ttl 0s / # vault write auth/approle/login role_id="fUUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD0" secret_id=" 1UUUUUUUUUUUUUUUUUUIIIIIIIIIIDDDDDDD2" Key Value --- ----- token hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKE token_accessor iPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPy token_duration 768h token_renewable true token_policies ["ansible-openvpn1" "default"] identity_policies [] policies ["ansible-openvpn1" "default"] token_meta_role_name ansible-openvpn1-role server|gate# VAULT_ADDR='http://server.corpX.un:8200' server|gate# VAULT_TOKEN=hKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKE
hashicorp_vault.1771071710.txt.gz · Last modified: 2026/02/14 15:21 by val
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
