流程引擎>> vault-demo-training>> 返回
项目作者: brianblaze14

项目描述 :
Spring vault integration project, Sample code developed using the Dependencies Spring Cloud Vault Configuration and Better Cloud Dependencies
高级语言: Java
项目地址: git://github.com/brianblaze14/vault-demo-training.git
创建时间: 2021-01-08T11:27:02Z
项目社区:https://github.com/brianblaze14/vault-demo-training
开源协议:
下载


Spring Vault Demo Training

Reference Documentation

For further reference, please consider the following sections:

Install jq.exe file for JSON printing

Vault Dev Environment Setup in Local

  • Download the file from the following website, Click Here
  • Set the path in the environment variables
  • Command to check whether the installation was correct vault, vault version
  • CMD to start the server vault server -dev, Note : do not run the web server in production
  • After starting the server,
    • Open a new terminal
    • Run the export command set VAULT_ADDR=http://127.0.0.1:8200
    • Save the unseal key echo "Nd6DVwrEPyA3Jpy6yUxoRC8II6XCQs1Le+EDLAZ++T0=" > unseal.key
    • Save the root token set VAULT_DEV_ROOT_TOKEN_DEV=s.yeo5TWjhY6QjpIvg9oGpjhay
    • Verify the status of the server by running the command vault status

CRUD operations

  • Writing a secret in vault vault kv put secret/hello foo=world,
    <vault kv put <path> <key>=<value>>
    Eg: vault kv put secret/hello foo=world excited=yes
  • Get the key details command vault kv get <path>, vault kv get secret/hello
  • Get based on a particular field vault kv get -field=excited secret/hello
  • Get output in the JSON format vault kv get -format=json secret/hello
  • Deleting the secret vault kv delete secret/hello

Secret Engines

  • vault kv put foo/bar a=b -> error will occur
  • List command -> vault secrets list
  • Create and enable a secret kv, kv-v2> vault secrets enable -path=kv kv, vault secrets enable kv, vault secrets list
  • CMD for crud vault kv put kv/hello target=world, vault kv get kv/hello, vault kv put kv/my-secret value="s3c(eT", vault kv get -format=json kv/my-secret, vault kv delete kv/my-secret
  • List the paths vault kv list kv/, vault kv list kv/
  • Disable a secret engine vault secrets disable kv/

Dynamic Secrets(AWS)

  • Enable the AWS secrets engine vault secrets enable -path=aws aws
  • set AWS_ACCESS_KEY_ID=<aws_access_key_id>
  • set AWS_SECRET_ACCESS_KEY=<aws_secret_key>
  • Write cmd: `vault write aws/config/root \
    1.   access_key=$AWS_ACCESS_KEY_ID \
    2.   secret_key=$AWS_SECRET_ACCESS_KEY \
    3.   region=us-east-1`
  • Create a role: `vault write aws/roles/my-role \
    1.       credential_type=iam_user \
    2.       policy_document=-<<EOF
    {
    1. "Version": "2012-10-17",
    2. "Statement": [
    3.   {
    4.     "Sid": "Stmt1426528957000",
    5.     "Effect": "Allow",
    6.     "Action": [
    7.       "ec2:*"
    8.     ],
    9.     "Resource": [
    10.       "*"
    11.     ]
    12.   }
    13. ]
    }
    EOF`
  • vault read aws/creds/my-role
  • vault lease revoke aws/creds/my-role/0bce0782-32aa-25ec-f61d-c026ff22106

Built-In Help

  • vault secrets enable -path=aws aws
  • vault path-help aws
  • vault path-help aws/creds/my-non-existent-role

Authentication

  • Token/ authentication is automatically enabled, During startup of the server the token will be generated as ROOT_TOKEN
  • Command to create a new token vault token create
  • Command to login to the token: vault login s.KwMVMnrg7u3mBFAIGdBUbkcO
  • Command to revoke the token: vault token revoke s.iyNUhq8Ov4hIAx6snw5mB2nL

Git hub

  • Can do the github enabling vault auth enable github
  • Writing data - vault write auth/github/config organization=hashicorp
  • Reading vault read auth/github/config,vault auth list
  • CMD vault write auth/github/map/teams/engineering value=default,applications
  • Reading vault read auth/github/map/teams/engineering
  • vault auth help github
  • vault login -method=github
  • vault token revoke -mode path auth/github
  • vault auth disable github

Policy

  • vault policy read default
  • vault policy list
  • Policy writing help command vault policy write -h
  • Creating a named policy: `vault policy write my-policy - << EOF # Dev servers have version 2 of KV secrets engine mounted by default, so will # need these paths to grant permissions:
    path “secret/data/*” {
    1. capabilities = ["create", "update"]
    }
    path “secret/data/foo” {
    1. capabilities = ["read"]
    }
    EOF`
  • To read the created policy vault policy read my-policy
  • Testing the token
  • Create a token vault token create -policy=my-policy
  • Use the created token VAULT_TOKEN=s.QyUoJzR8BXWDkX0n8RzAyElu vault kv put secret/creds password="my-long-password"
  • Write to the secrets VAULT_TOKEN=s.QyUoJzR8BXWDkX0n8RzAyElu vault kv put secret/foo robot=beepboop

Associate policies to the auth

  • vault auth list | grep 'approle/'
  • vault auth enable approle
  • `vault write auth/approle/role/my-role \
    1.   secret_id_ttl=10m \
    2.   token_num_uses=10 \
    3.   token_ttl=20m \
    4.   token_max_ttl=30m \
    5.   secret_id_num_uses=40 \
    6.   token_policies=my-policy`
  • Write the role-id and the secret id to the env variables
    • export ROLE_ID="$(vault read -field=role_id auth/approle/role/my-role/role-id)"
    • export SECRET_ID="$(vault write -f -field=secret_id auth/approle/role/my-role/secret-id)"
    • vault write auth/approle/login role_id="$ROLE_ID" secret_id="$SECRET_ID"
  • vault write auth/approle/login role_id="$ROLE_ID" secret_id="$SECRET_ID"

Deploying the vault permanently

  • Create a config.hcl file in the vault.exe path with the following content
  • Create a directory in the following path mkdir -p vault/data
  • Start the server using the following command vault server -config=config.hcl
  • Initialize the vault set VAULT_ADDR=http://127.0.0.1:8200, vault operator init
  • Init operation will generate a Unseal Keys which should be permanently stored for login
    { "keys": [ "0c731099534cbced4b16aefb4a2961c15afdf286bb6111a9c1d4f2e53f02ab5af2", "60c9134ea838efe3c144f824042f002272925e01629c217068c7b16fa06e106ee0", "79d6c6f37558494fe7f285e678ec0dba61b02388fee0f504e9b09106cc7d5a249c", "789683056fe1bbbc182859d80346a69a028b0cd348e1b2d8b9b7f7267043d21460", "26f6ab40c109631c51b23dcce9ddd69ee1838be7117540ae6446b5db47eeb73529" ], "keys_base64": [ "DHMQmVNMvO1LFq77SilhwVr98oa7YRGpwdTy5T8Cq1ry", "YMkTTqg47+PBRPgkBC8AInKSXgFinCFwaMexb6BuEG7g", "edbG83VYSU/n8oXmeOwNumGwI4j+4PUE6bCRBsx9WiSc", "eJaDBW/hu7wYKFnYA0ammgKLDNNI4bLYubf3JnBD0hRg", "JvarQMEJYxxRsj3M6d3WnuGDi+cRdUCuZEa120futzUp" ], "root_token": "s.6qdidDRHD9A1Su1VkWtE9LHt" }
  • Unseal three threshold keys vault operator unseal enter the valid key after that
  • Login command vault login <Initial_Root_Token>, vault login s.yo5p3hCZuUGRmhNNPVtaXOFG
  • Deletion and clean of data
    • ps aux | grep "vault server" | grep -v grep | awk '{print $2}' | xargs kill
    • rm -r /vault/data

Using the HTTP API’s with Authentication

  • vault server -config=config.hcl
  • Init - curl http://127.0.0.1:8200/v1/sys/init -X POST -d "{\"secret_shares\": 1, \"secret_threshold\": 1}" | jq
  • set VAULT_TOKEN=s.mWSvGgnHbImvZVmWVsNnYwuH
  • Unseal the key curl -X POST -d "{\"key\": \"MMQCBBOUwo4z8dLHxb12L/n64vykmQL0usFSGgzfS0o=\"}" http://127.0.0.1:8200/v1/sys/unseal | jq
  • Check whether it is initialized curl http://127.0.0.1:8200/v1/sys/init
  • Now for the auth part enabling vault auth enable -output-curl-string approle,
    curl -H "X-Vault-Request: true" -H "X-Vault-Token: s.mWSvGgnHbImvZVmWVsNnYwuH" http://127.0.0.1:8200/v1/sys/auth |jq
    Output: curl -X POST -H "X-Vault-Request: true" -H "X-Vault-Token:s.1gTwVAr6nz4fNJBBjMcfOdyM" -d '{"type":"approle","description":"","config":{"options":null,"default_lease_ttl":"0s","max_lease_ttl":"0s","force_no_cache":false},"local":false,"seal_wrap":false,"external_entropy_access":false,"options":null}' https://127.0.0.1:8200/v1/sys/auth
  • Policy creation in Windows curl -H "X-Vault-Token: $VAULT_TOKEN" -X PUT -d '{"policy":"# Dev servers have version 2 of KV secrets engine mounted by default, so will\n# need these paths to grant permissions:\npath \"secret/data/*\" {\n capabilities = [\"create\", \"update\"]\n}\n\npath \"secret/data/foo\" {\n capabilities = [\"read\"]\n}\n"}' http://127.0.0.1:8200/v1/sys/policies/acl/my-policy
  • Association command `curl \
    1.   --header "X-Vault-Token: $VAULT_TOKEN" \
    2.   --request POST \
    3.   --data '{"policies": ["my-policy"]}' \
    4.   http://127.0.0.1:8200/v1/auth/approle/role/my-role`
  • Role id API`curl \
    1.   --header "X-Vault-Token: $VAULT_TOKEN" \
    2.    http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id | jq -r ".data"`
  • Secret ID API `curl \
    1.   --header "X-Vault-Token: $VAULT_TOKEN" \
    2.   --request POST \
    3.   http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id | jq -r ".data"`
  • Login API`curl —request POST \
    1.      --data '{"role_id": "c3ec4eab-5477-c669-fca8-6a71fdf38c23", "secret_id": "fc2710e5-9536-3f4f-666d-fd5d8379b2b9"}' \
    2.      http://127.0.0.1:8200/v1/auth/approle/login | jq -r ".auth"`
  • Output client-token and set export VAULT_TOKEN="s.p5NB4dTlsPiUU94RA5IfbzXv"
  • Secret credentials `curl \
    1.   --header "X-Vault-Token: $VAULT_TOKEN" \
    2.   --request POST \
    3.   --data '{ "data": {"password": "my-long-password"} }' \
    4.   http://127.0.0.1:8200/v1/secret/data/creds | jq -r ".data"`

Content for the config.hcl file

storage “raft” {

path = “./vault/data”

path = “vault-data”

path = “./vault/data1”

path = “./vault/data2”
node_id = “node1”
}
listener “tcp” {
address = “127.0.0.1:8200”
tls_disable = 1
}
disable_mlock = true
api_addr = “http://127.0.0.1:8200
cluster_addr = “https://127.0.0.1:8201
ui = true