【vault】vault管理应用公私钥

启用KV机密引擎

#启用多版本
$ vault secrets enable -path=kv kv-v2
或
$ vault kv enable-versioning kv/

注:启用多版本后,配置policy和接口调用读写时,path需以【kv/data/】为前缀,否则只有【kv/】

ACL Policy配置

1. default policy

# Allow all app to read RSA public key
path "kv/data/rsa/public/*" {
  capabilities=["read"]
}

2.应用私有policy

示例:user应用policy

# Allow app to read own RSA private key
path "kv/data/rsa/private/user" {
  capabilities = ["read"]
}

示例:devops应用policy (可以读写所有应用公私钥)

path "kv/data/rsa/public/*" {
  capabilities = ["create", "update","read","delete","list"]
}
path "kv/data/rsa/private/*" {
  capabilities = ["create", "update","read","delete","list"]
}

vault客户端调用

  • vault cli 调用 path无需/data
  • java sdk 调用 path需/data
#1.读数据: version为空或0,读取默认版本 (返回版本号)
VaultResponse response=vaultApiTemplate.read(path,version);

#2.写数据:
Map map=new HashMap<>();
map.put("key","123456");
VaultResponse response=vaultApiTemplate.write(path,map);

你可能感兴趣的:(【vault】vault管理应用公私钥)