Vault: Difference between revisions

Revision as of 05:39, 21 January 2026

curl -fsSL https://apt.releases.hashicorp.com/gpg\
 | sudo tee /etc/apt/keyrings/hashicorp.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/hashicorp.list >/dev/null
deb [arch=$(dpkg --print-architecture)\
 signed-by=/etc/apt/keyrings/hashicorp.asc]\
 https://apt.releases.hashicorp.com ${DISTRIBUTION} main
SRC

cat <<'EXE' | sudo bash
apt-get update && apt-get install -y vault
systemctl disable --now vault.service
systemctl stop          vault.service
systemctl mask          vault.service
systemctl status        vault.service
vault version
which vault
EXE

export VAULT_TOKEN='hvs.b613hrNQ25fJEkWqGB2KCWgl'
export VAULT_ADDR='https://vault.shahed.biz.ops'
vault status

export VAULT_SKIP_VERIFY=true
export VAULT_FORMAT=yaml
vault login

Auth

# Enabled userpass auth method
vault auth enable userpass

Auth » Userpass
vault write auth/userpass/users/shahed password='sadaqah!' vault login -method=userpass username=shahed vault list auth/userpass/users cat ~/.vault-token rm ~/.vault-token

Engine » KV

KV » V1

vault secrets enable -path=chorke/academia/prod kv
vault secrets enable -path=chorke/academia/uat  kv
vault secrets enable -path=chorke/academia/dev  kv

vault secrets disable chorke/academia/prod
vault secrets disable chorke/academia/uat
vault secrets disable chorke/academia/dev

vault kv put chorke/academia/dev/mariadb username='academia' password='60NZ5sonTeHGAiXm'
vault kv get -field=password chorke/academia/dev/mariadb
vault kv get chorke/academia/dev/mariadb

vault secrets disable chorke/academia/dev
vault kv get chorke/academia/dev/mariadb

vault secrets enable -path=chorke/academia/dev  kv
vault kv get chorke/academia/dev/mariadb

KV » V2

vault secrets enable -path=shahed/academia/prod kv-v2
vault secrets enable -path=shahed/academia/uat  kv-v2
vault secrets enable -path=shahed/academia/dev  kv-v2

vault secrets disable shahed/academia/prod
vault secrets disable shahed/academia/uat
vault secrets disable shahed/academia/dev

vault kv put shahed/academia/dev/pgsql username='academia' password='60NZ5sonTeHGAiXm'
vault kv get -field=password shahed/academia/dev/pgsql
vault kv get shahed/academia/dev/pgsql

vault kv get    -version  2 shahed/academia/dev/pgsql
vault kv delete -versions 2 shahed/academia/dev/pgsql
vault kv get    -version  1 shahed/academia/dev/pgsql

vault secrets disable shahed/academia/dev
vault kv get shahed/academia/dev/pgsql

vault secrets enable -path=shahed/academia/dev  kv-v2
vault kv get shahed/academia/dev/pgsql

Engine » DB

# Enabled the database secrets engine
vault secrets enable database

Database » PostgreSQL
echo -n 'Password: ';read -s VAULT_PASSWORD;export VAULT_PASSWORD;echo echo "${VAULT_PASSWORD}" Password: sadaqah!	cat << DDL \| sudo -i -u postgres psql \! printf '\n' SELECT 'CREATE DATABASE shahed_ab_vault' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'shahed_ab_vault')\gexec CREATE USER shahed_ab_vault WITH ENCRYPTED PASSWORD '${VAULT_PASSWORD}'; GRANT ALL PRIVILEGES ON DATABASE shahed_ab_vault TO shahed_ab_vault; ALTER DATABASE shahed_ab_vault OWNER TO shahed_ab_vault; DDL
vault write database/config/shahed-ab-psql \ plugin_name='postgresql-database-plugin' allowed_roles='shahed-ab-psql-academia' \ connection_url='postgresql://{{username}}:{{password}}@192.168.49.1:5432/shahed_ab_vault' \ username='shahed_ab_vault' password='sadaqah!' \ password_authentication='scram-sha-256' vault read database/config/shahed-ab-psql
vault write database/roles/shahed-ab-psql-academia db_name="shahed-ab-psql" \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \ default_ttl="1h" \ max_ttl="24h" vault read database/roles/shahed-ab-psql-academia vault read database/creds/shahed-ab-psql-academia
vault read database/roles/shahed-ab-psql-academia vault read database/creds/shahed-ab-psql-academia vault lease lookup database/creds/shahed-ab-psql-academia/ID vault lease renew database/creds/shahed-ab-psql-academia/ID vault lease revoke database/creds/shahed-ab-psql-academia/ID

Database » MariaDB

Database » Redis

Playground

echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 40)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 20)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 16)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c  8)"

vault auth    list
vault audit   list
vault policy  list
vault secrets list

vault operator init -key-shares=5 -key-threshold=3
vault token lookup
vault status

vault operator unseal '/bvRmLPLF8MnfOQQWrhdqAmLBSKfNtSSkcyWY/uXZ0+F'
vault operator unseal 'Jh5mA+DwX/zlU+3jvxlgNarSzAOBRHvNcF3QOoGtzl/h'
vault operator unseal 'DqUWoe6MN6oDKi3bYoZuXSbT0ZpT0/Pbg0kpTkhkUfVP'

# self destructive or dangerous
vault token revoke -self

References

References
Vault » Docs » Secrets management Vault » Docs » Build your CA Vault » Docs » Cheatsheet Vault » Docs » Monitoring Vault » Docs » How Vault » Docs » Why Vault » Install Vault » Helm	Vault » Engine » Databases » PostgreSQL Vault » Engine » Databases » MariaDB Vault » Engine » Databases » Redis Vault » Engine » Databases
K8s » CSI Hostpath Driver K8s » Swiss Knife K8s » Storage K8s » Ingress K8s » Service K8s » Secret K8s » Run MinIO CIDR UFW	Security » HTTP » Basic Authentication Security » OpenLDAP » BackSQL Security » `makepasswd` » SCM Security » `makepasswd` Security » Certificate Security » ZA Proxy Security » Domain Security » Spring Security » HTTP Security » Java	Security » SSH » Public Key Authentication Security » Container » Snyk Security » Container » Trivy Security » Certificate » TLS Security » Wireshark Security » Password Security » Jasypt
Kubernetes Multipass Minikube Podman Vagrant Docker Qemu Helm K9s K8s	Terraform Proxmox Kubectl Ansible LXC Git

@@ Line 39: / Line 39: @@
 vault login
 </syntaxhighlight>
+|}
+==Auth==
+{|class='wikitable mw-collapsible'
+!scope='col' style='text-align:left' colspan='2'|
+Auth
+|-
+|valign='top' style='width:50%'|
+<syntaxhighlight lang='bash'>
+# Enabled userpass auth method
+vault auth enable userpass
+</syntaxhighlight>
+|valign='top' style='width:50%'|
+|-
+|valign='top' colspan='2'|
+{|class='wikitable mw-collapsible'
+!scope='col' style='text-align:left' colspan='2'|
+Auth » Userpass
+|-
+|valign='top' style='width:50%'|
+<syntaxhighlight lang='bash'>
+vault write auth/userpass/users/shahed password='sadaqah!'
+vault login -method=userpass username=shahed
+vault list  auth/userpass/users
+cat ~/.vault-token
+rm  ~/.vault-token
+</syntaxhighlight>
+|valign='top' style='width:50%'|
+|}
 |}
@@ Line 125: / Line 157: @@
 |}
-==Engine » Database==
+==Engine » DB==
 {|class='wikitable mw-collapsible'
 !scope='col' style='text-align:left' colspan='2'|
-Engine » Database
+Engine » DB
 |-
 |valign='top' style='width:50%'|

Vault: Difference between revisions

Revision as of 05:39, 21 January 2026

Contents

Auth

Engine » KV

Engine » DB

Playground

References

Navigation menu

Vault: Difference between revisions

Revision as of 05:39, 21 January 2026

Auth

Engine » KV

Engine » DB

Playground

References

Navigation menu

Search