【vault】vault管理应用公私钥

启用KV机密引擎

#启用多版本
$ vault secrets enable -path=kv kv-v2
或
$ vault kv enable-versioning kv/

注：启用多版本后，配置policy和接口调用读写时，path需以【kv/data/】为前缀，否则只有【kv/】

ACL Policy配置

1. default policy

# Allow all app to read RSA public key
path "kv/data/rsa/public/*" {
  capabilities=["read"]
}

2.应用私有policy

示例：user应用policy

# Allow app to read own RSA private key
path "kv/data/rsa/private/user" {
  capabilities = ["read"]
}

示例：devops应用policy (可以读写所有应用公私钥）

path "kv/data/rsa/public/*" {
  capabilities = ["create", "update","read","delete","list"]
}
path "kv/data/rsa/private/*" {
  capabilities = ["create", "update","read","delete","list"]
}

vault客户端调用

• vault cli 调用 path无需/data
• java sdk 调用 path需/data

#1.读数据： version为空或0，读取默认版本 (返回版本号）
VaultResponse response=vaultApiTemplate.read(path,version);

#2.写数据：
Map map=new HashMap<>();
map.put("key","123456");
VaultResponse response=vaultApiTemplate.write(path,map);