启动vault Server
vault server -dev
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN="s.XmpNPoi9sRhYtdKHaQhkHP6x"
启用kv机密机密引擎
vault secrets enable -path=kv
#支持多版本
(1)vault secrets enable -path=kv kv-v2
(2)vault kv enable-versioning kv/
查看机密引擎列表
➜ ~ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_b6b3c999 per-token private secret storage
identity/ identity identity_cd676d4a identity store
kv/ kv kv_b591ce58 n/a
secret/ kv kv_e95dfadc key/value secret storage
sys/ system system_69354e39 system endpoints used for control, policy and debugging
写数据KV
➜ ~ vault kv put kv/data/rsa/public/card key=333
Key Value
--- -----
created_time 2021-03-18T09:31:09.268356Z
deletion_time n/a
destroyed false
version 1
读数据KV
➜ ~ vault kv get kv/data/rsa/public/card
====== Metadata ======
Key Value
--- -----
created_time 2021-03-18T09:31:09.268356Z
deletion_time n/a
destroyed false
version 1
=== Data ===
Key Value
--- -----
创建 ACL Policy
#本地文件读取policy配置文件
➜ ~ vault policy write guardplus ~/tmp/guardplus.hcl
查看policy list
➜ ~ vault policy list
default
guardplus
registryplus
swaggerplus
root
查看policy 详情
➜ ~ vault policy read swaggerplus
path "kv/data/rsa/private/swaggerplus" {
capabilities=["read"]
}
➜ ~
基于policy创建token
➜ ~ vault token create -policy=guardplus
Key Value
--- -----
token s.PvPiW1awHXpdoqMbnaLpmyzw
token_accessor IpUqjNnbggTe71nKozPda7zK
token_duration 768h
token_renewable true
token_policies ["default" "guardplus"]
identity_policies []
policies ["default" "guardplus"]
# 通过token写数据
➜ ~ VAULT_TOKEN=s.PvPiW1awHXpdoqMbnaLpmyzw>
vault kv put kv/creds password="my-long-password"
查看auth method 列表
➜ ~ vault auth list
Path Type Accessor Description
---- ---- -------- -----------
approle/ approle auth_approle_aecb2c85 n/a
token/ token auth_token_ead59e09 token based credentials
➜ ~
启用approle引擎
➜ ~ vault auth enable approle
为应用创建role
#role_name为应用名
➜ ~ vault write auth/approle/role/guardplus \
bind_secret_id=true \
secret_id_num_uses=0 \
token_num_uses=100 \
token_ttl=10m \
token_max_ttl=10m \
policies=guardplus
Success! Data written to: auth/approle/role/guardplus
查询roleId
➜ ~ vault read auth/approle/role/guardplus/role-id
Key Value
--- -----
role_id 9dd81570-7e2d-9cd3-8352-217316ac8b17
创建secretId
# role必须存在,否则报错
➜ ~ vault write -f auth/approle/role/guardplus/secret-id
Key Value
--- -----
secret_id 6423ddff-59c8-0852-8e8b-b5589c7f6b59
secret_id_accessor e9f2dfa8-18c1-e4e5-730b-f357dc642e8c
将roleId和sercretId写入环境变量
➜ ~ export ROLE_ID="$(vault read -field=role_id auth/approle/role/guardplus/role-id)"
➜ ~ export SECRET_ID="$(vault write -f -field=secret_id auth/approle/role/guardplus/secret-id)"
# 添加到login中
➜ ~ vault write auth/approle/login role_id="$ROLE_ID" secret_id="$SECRET_ID"
查看vault token的 默认过期时间
➜ ~ vault read sys/auth/token/tune
Key Value
--- -----
default_lease_ttl 768h
description token based credentials
force_no_cache false
max_lease_ttl 768h
token_type default-service
默认32天,可以被覆盖。
➜ ~ vault write sys/auth/token/tune default_lease_ttl=700h max_lease_ttl=720h
Success! Data written to: sys/auth/token/tune
➜ ~ vault read sys/auth/token/tune
Key Value
--- -----
default_lease_ttl 700h
description token based credentials
force_no_cache false
max_lease_ttl 720h
token_type default-service
➜ ~
统计token数量
vault read sys/internal/counters/tokens
父令牌和子令牌的区别:
每个令牌都有自己的生命周期,如父令牌1h,子令牌3h,这时,父令牌在1个小时候过期,子令牌也会被过期,尽管它还有2个小时。
token TTL和Max TTL区别
token若支持续签,则续签的时间最大允许超过max ttl。若超过则无法继续续签