1 vault开启
vault server -dev(开发者模式)
vault server -config=config.hcl(生产环境启动方式)
其中config.hcl内容如下,本地安装配置mysql数据库,ui=true可以访问ui界面
disable_mlock = true
ui=true
storage "mysql" {
address = "127.0.0.1:3306"
username = "root"
password = "123456"
database = "vault"
table = "vault"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
2 vault_addr设置
另外启动一个控制台界面
windows环境:set VAULT_ADDR=http://127.0.0.1:8200
linux环境:export VAULT_ADDR=http://127.0.0.1:8200
3 vault初始化
vault operator init或者vault operator init -key-shares=5 -key-threshold=3
说明:
-key-shares:指定秘钥的总股数,
-key-threshold:指定需要几股可解锁
以上参数为默认,可不设置。
得到五个key(key1到key5),后续解封用
vault operator unseal key1
vault operator unseal key2
vault operator unseal key3
vault status查看状态,sealed为false表示解封了
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.2.3
Cluster Name vault-cluster-181def04
Cluster ID 32b31c01-4c2e-bfcf-e44c-0abc862d6156
HA Enabled false
4 用产生的token登陆
vault login XXX
5 数据库使用
vault secrets enable database
6 transit使用(在path=encryption)启动transit,不写-path=encryption则默认在transit路径下
vault secrets enable -path=encryption transit
7 写入数据库连接配置
plugin_name=mysql-database-plugin \
connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \
allowed_roles="my-role" \
username="root" \
password="123456"
vault write database/roles/my-role \
db_name=my-mysql-database \
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON *.* TO '{{name}}'@'%';" \
default_ttl="1h" \
max_ttl="24h"
9 配置文件,直接编写vault policy write my-policy my-policy.hcl没有成功,通过以下命令实现
# paths:
path "secret/*" {
capabilities = ["create"]
}
path "secret/foo" {
capabilities = ["read"]
}
# paths:
path "secret/data/*" {
capabilities = ["create"]
}
path "secret/data/foo" {
capabilities = ["read"]
}
EOF
