1 vault開啟

vault server -dev(開發者模式)

vault server -config=config.hcl（生產環境啟動方式）

其中config.hcl內容如下，本地安裝配置mysql數據庫，ui=true可以訪問ui界面

disable_mlock = true
ui=true
storage "mysql" {
address = "127.0.0.1:3306"
username = "root"
password = "123456"
database = "vault"
table = "vault"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}

2 vault_addr設置

另外啟動一個控制臺界面

windows環境：set VAULT_ADDR=http://127.0.0.1:8200

linux環境：exportVAULT_ADDR=http://127.0.0.1:8200

3 vault初始化

vault operator init或者vault operator init -key-shares=5 -key-threshold=3

說明：
-key-shares：指定秘鑰的總股數，
-key-threshold：指定需要幾股可解鎖
以上參數為默認，可不設置。

得到五個key(key1到key5)，后續解封用

vault operator unseal key1

vault operator unseal key2

vault operator unseal key3

vault status查看狀態，sealed為false表示解封了

Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.2.3
Cluster Name vault-cluster-181def04
Cluster ID 32b31c01-4c2e-bfcf-e44c-0abc862d6156
HA Enabled false

4 用產生的token登陸
vault login XXX

5 數據庫使用
vault secrets enable database

6 transit使用(在path=encryption)啟動transit，不寫-path=encryption則默認在transit路徑下

vault secrets enable -path=encryption transit

7 寫入數據庫連接配置

vault write database/config/my-mysql-database
plugin_name=mysql-database-plugin
connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/"
allowed_roles="my-role"
username="root"
password="123456"

8 設置動態密鑰策略
vault write database/roles/my-role
db_name=my-mysql-database
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON *.* TO '{{name}}'@'%';"
default_ttl="1h"
max_ttl="24h"

9 配置文件，直接編寫vault policy write my-policy my-policy.hcl沒有成功，通過以下命令實現

vault policy write my-policy -<<EOF
# Normal servers have version 1 of KV mounted by default, so will need these
# paths:
path "secret/*" {
capabilities = ["create"]
}
path "secret/foo" {
capabilities = ["read"]
}
# Dev servers have version 2 of KV mounted by default, so will need these
# paths:
path "secret/data/*" {
capabilities = ["create"]
}
path "secret/data/foo" {
capabilities = ["read"]
}
EOF



vault 設置靜態role
0 在mysql中建立一個角色vault-edu
1 設置運行連接數據庫 vault secrets enable database
2 設置數據庫連接

vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="{{username}}:{{password}}@tcp(30.16.104.43:3306)/" allowed_roles="*" username="root" password="123456"

3建立靜態角色education

vault write database/static-roles/education db_name=my-mysql-database rotation_statements=@rotation.sql username="vault-edu" rotation_period=86400

rotation.sql具體內容如下：
ALTER USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';

4 讀取education信息

vault read database/static-roles/education

5 新建一個策略app,并且寫入vault策略中，分配對應的token

vault policy write app app.hcl

vault token create -policy="app"

6 用分配的token登錄，查看對應的角色信息

VAULT_TOKEN=s.NN5Izfj9ok3VuZiaP9N9QJ1V vault read database/static-creds/education

設置vault角色

vault write database/roles/my-role
db_name=my-mysql-database
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON *.* TO '{{name}}'@'%';"
default_ttl="1h"
max_ttl="24h“

vault生產環境配置

https://learn.hashicorp.com/tutorials/vault/configure-vault

激活vault加密輪轉密鑰參考https://learn.hashicorp.com/tutorials/vault/eaas-transit

To rotate the encryption key, invoke thetransit/keys/<key_ring_name>/rotateendpoint.

例如：vault write -f transit/keys/order/rotate

# List available auth method path "sys/auth" { capabilities = [ "read" ] } # Read default token configuration path "sys/auth/token/tune" { capabilities = [ "read", "sudo" ] } # Create and manage tokens (renew, lookup, revoke, etc.) path "auth/token/*" { capabilities = [ "create", "read", "update", "delete", "list", "sudo" ] } # For Advanced Features - list available secrets engines path "sys/mounts" { capabilities = [ "read" ] } # For Advanced Features - tune the database secrets engine TTL path "sys/mounts/database/tune" { capabilities = [ "update" ] }

總結

以上是生活随笔為你收集整理的vault学习笔记的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。