Vault: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 202: Line 202:
vault kv get -field=app.test.password          shahed/academia/dev/audit
vault kv get -field=app.test.password          shahed/academia/dev/audit
vault kv get -field=spring.datasource.password shahed/academia/dev/audit
vault kv get -field=spring.datasource.password shahed/academia/dev/audit
</syntaxhighlight>
<syntaxhighlight lang='bash'>
echo ;\
vault kv get -format=json shahed/academia/dev/audit \
| jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]'
</syntaxhighlight>
<syntaxhighlight lang='bash'>
echo ;\
vault kv get -format=yaml shahed/academia/dev/audit \
| yq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]'
</syntaxhighlight>
</syntaxhighlight>
|}
|}

Revision as of 00:44, 22 January 2026

curl -fsSL https://apt.releases.hashicorp.com/gpg\
 | sudo tee /etc/apt/keyrings/hashicorp.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/hashicorp.list >/dev/null
deb [arch=$(dpkg --print-architecture)\
 signed-by=/etc/apt/keyrings/hashicorp.asc]\
 https://apt.releases.hashicorp.com ${DISTRIBUTION} main
SRC

cat <<'EXE' | sudo bash
apt-get update && apt-get install -y vault
systemctl disable --now vault.service
systemctl stop          vault.service
systemctl mask          vault.service
systemctl status        vault.service
vault version
which vault
EXE

export VAULT_TOKEN='hvs.40aTe1S58DWIstRk4bHPgESg'
export VAULT_ADDR='https://vault.shahed.biz.ops'
vault status

export VAULT_SKIP_VERIFY=true
export VAULT_FORMAT=yaml
vault login

Auth

Auth 

# Enabled userpass auth method
vault auth enable userpass

Auth » Userpass 

vault write auth/userpass/users/shahed password='sadaqah!'
vault list  auth/userpass/users
unset VAULT_TOKEN

vault login -method=userpass username=shahed
cat ~/.vault-token
rm  ~/.vault-token

Engine » KV

Engine » KV

KV » V1
Enable Disable 
vault secrets enable -path=chorke/academia/prod kv
vault secrets enable -path=chorke/academia/uat  kv
vault secrets enable -path=chorke/academia/dev  kv

vault secrets disable chorke/academia/prod
vault secrets disable chorke/academia/uat
vault secrets disable chorke/academia/dev

vault kv put chorke/academia/dev/mariadb username='academia' password='60NZ5sonTeHGAiXm'
vault kv get -field=password chorke/academia/dev/mariadb
vault kv get chorke/academia/dev/mariadb

vault secrets disable chorke/academia/dev
vault kv get chorke/academia/dev/mariadb

vault secrets enable -path=chorke/academia/dev  kv
vault kv get chorke/academia/dev/mariadb
KV » V2
Enable Disable 
vault secrets enable -path=shahed/academia/prod kv-v2
vault secrets enable -path=shahed/academia/uat  kv-v2
vault secrets enable -path=shahed/academia/dev  kv-v2

vault secrets disable shahed/academia/prod
vault secrets disable shahed/academia/uat
vault secrets disable shahed/academia/dev
Create Update 
vault kv put shahed/academia/dev/pgsql username='academia' password='60NZ5sonTeHGAiXm'
vault kv get -field=password shahed/academia/dev/pgsql
vault kv get shahed/academia/dev/pgsql

vault kv get      -version  2 shahed/academia/dev/pgsql
vault kv get      -version  1 shahed/academia/dev/pgsql

vault kv put shahed/academia/dev/pgsql username='academia' password='26SJEnMWSjnXYrgs'
vault kv delete   -versions 2 shahed/academia/dev/pgsql
vault kv get -field=password  shahed/academia/dev/pgsql

vault kv rollback -version  1 shahed/academia/dev/pgsql
vault kv get -field=password  shahed/academia/dev/pgsql

vault secrets disable shahed/academia/dev
vault kv get shahed/academia/dev/pgsql

vault secrets enable -path=shahed/academia/dev  kv-v2
vault kv get shahed/academia/dev/pgsql
Properties Fetch 
echo && \
yq -o=json <<'YML' | \
vault kv put shahed/academia/dev/audit @/dev/stdin
---
spring.datasource.url: jdbc:postgresql://192.168.49.1:5432/shahed_academia_dev
spring.datasource.password: DHJuWrvIqhZjvAWl
spring.datasource.username: academia
spring.datasource.platform: postgres

app.smtp.username: no-reply@shahed.biz
app.smtp.password: 3gT5WOAg6Ob0tFjC
app.smtp.alias: no-reply@chorke.org
app.smtp.host: smtp.gmail.com

app.test.username: admin
app.test.password: m0sPn0YAPJD3x4X6
YML

vault kv get                                   shahed/academia/dev/audit
vault kv get -field=app.smtp.password          shahed/academia/dev/audit
vault kv get -field=app.test.password          shahed/academia/dev/audit
vault kv get -field=spring.datasource.password shahed/academia/dev/audit

echo ;\
vault kv get -format=json shahed/academia/dev/audit \
 | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]'

echo ;\
vault kv get -format=yaml shahed/academia/dev/audit \
 | yq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]'
KV » K8s
K8s » Secret 
vault kv get -format=json shahed/academia/dev/audit \
 | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]' \
 | kubectl -n academia create secret generic academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml

vault kv get -format=json shahed/academia/dev/audit \
 | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]' \
 | kubectl -n academia create secret generic academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml \
 | yq '.metadata.labels += {
    "app.kubernetes.io/name": "audit",
    "app.kubernetes.io/version": "1.0.0",
    "app.kubernetes.io/instance": "audit",
    "app.kubernetes.io/managed-by": "kubectl"
   }'
K8s » ConfigMap 
vault kv get -format=json shahed/academia/dev/audit \
 | jq -r '.data.data |to_entries|map(.key + "=" + .value)|.[]' \
 | kubectl -n academia create configmap academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml

vault kv get -format=json shahed/academia/dev/audit \
 | jq -r '.data.data | to_entries | map(.key + "=" + .value) | .[]' \
 | kubectl -n academia create configmap academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml \
 | yq '.metadata.labels += {
    "app.kubernetes.io/name": "audit",
    "app.kubernetes.io/version": "1.0.0",
    "app.kubernetes.io/instance": "audit",
    "app.kubernetes.io/managed-by": "kubectl"
   }'

Engine » DB

Engine » DB 

# Enabled the database secrets engine
vault secrets enable database

Database » PostgreSQL 

echo -n 'Password: ';read -s VAULT_PASSWORD;export VAULT_PASSWORD;echo
echo "${VAULT_PASSWORD}"

Password: sadaqah!

cat << DDL | sudo -i -u postgres psql
\! printf '\n'
SELECT 'CREATE DATABASE shahed_ab_vault' 
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'shahed_ab_vault')\gexec
CREATE USER shahed_ab_vault WITH ENCRYPTED PASSWORD '${VAULT_PASSWORD}';
GRANT ALL PRIVILEGES ON DATABASE shahed_ab_vault TO shahed_ab_vault;
ALTER DATABASE shahed_ab_vault OWNER TO shahed_ab_vault;
DDL

PostgreSQL » Setup 

vault write database/config/shahed-ab-psql \
  plugin_name='postgresql-database-plugin' allowed_roles='shahed-ab-psql-academia' \
  connection_url='postgresql://{{username}}:{{password}}@192.168.49.1:5432/shahed_ab_vault' \
  username='shahed_ab_vault' password='sadaqah!' \
  password_authentication='scram-sha-256'

vault read database/config/shahed-ab-psql

vault write database/roles/shahed-ab-psql-academia db_name="shahed-ab-psql" \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
    GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl="1h" \
  max_ttl="24h"

vault read database/roles/shahed-ab-psql-academia
vault read database/creds/shahed-ab-psql-academia

vault read         database/config/shahed-ab-psql
vault read         database/roles/shahed-ab-psql-academia
vault read         database/creds/shahed-ab-psql-academia

vault lease lookup database/creds/shahed-ab-psql-academia/ID
vault lease renew  database/creds/shahed-ab-psql-academia/ID
vault lease revoke database/creds/shahed-ab-psql-academia/ID

vault delete       database/roles/shahed-ab-psql-academia
vault delete       database/config/shahed-ab-psql

PostgreSQL » Static 

vault write database/config/shahed-ab-psql \
  plugin_name='postgresql-database-plugin' allowed_roles='shahed-ab-psql-academia' \
  connection_url='postgresql://{{username}}:{{password}}@192.168.49.1:5432/shahed_ab_vault' \
  self_managed=true

vault read database/config/shahed-ab-psql

vault write database/static-roles/shahed-ab-psql-academia db_name="shahed-ab-psql" \
  username='shahed_ab_vault' self_managed_password='sadaqah!' \
  rotation_period='1h'

vault read database/static-roles/shahed-ab-psql-academia
vault read database/static-creds/shahed-ab-psql-academia

Database » MariaDB 

echo -n 'Password: ';read -s VAULT_PASSWORD;export VAULT_PASSWORD;echo
echo "${VAULT_PASSWORD}"

Password: sadaqah!

cat << DDL | sudo -i -u root mariadb
CREATE DATABASE IF NOT EXISTS shahed_ab_vault;
CREATE USER 'shahed_ab_vault'@'%' IDENTIFIED BY '${VAULT_PASSWORD}';
GRANT ALL PRIVILEGES ON shahed_ab_vault.* TO 'shahed_ab_vault'@'%';
FLUSH PRIVILEGES;
DDL

MariaDB » Setup 

vault write database/config/shahed-ab-mariadb \
  plugin_name='mysql-database-plugin' allowed_roles='shahed-ab-mariadb-academia' \
  connection_url="{{username}}:{{password}}@tcp(192.168.49.1:3306)/" \
  username='shahed_ab_vault' password='sadaqah!'

vault read database/config/shahed-ab-mariadb

vault write database/roles/shahed-ab-mariadb-academia db_name="shahed-ab-mariadb" \
  creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
  default_ttl='1h' max_ttl='24h'

vault read database/roles/shahed-ab-mariadb-academia
vault read database/creds/shahed-ab-mariadb-academia

vault read         database/config/shahed-ab-mariadb
vault read         database/roles/shahed-ab-mariadb-academia
vault read         database/creds/shahed-ab-mariadb-academia

vault lease lookup database/creds/shahed-ab-mariadb-academia/ID
vault lease renew  database/creds/shahed-ab-mariadb-academia/ID
vault lease revoke database/creds/shahed-ab-mariadb-academia/ID

vault delete       database/roles/shahed-ab-mariadb-academia
vault delete       database/config/shahed-ab-mariadb

MariaDB » Static 

vault write database/config/shahed-ab-mariadb \
  plugin_name='mysql-database-plugin' allowed_roles='shahed-ab-mariadb-academia' \
  connection_url="{{username}}:{{password}}@tcp(192.168.49.1:3306)/" \
  root_rotation_statements="SET PASSWORD = PASSWORD('{{password}}')" \
  username='shahed_ab_vault' password='sadaqah!'

vault read database/config/shahed-ab-mariadb

vault write database/roles/shahed-ab-mariadb-academia db_name="shahed-ab-mariadb" \
  creation_statements="Q1JFQVRFIFVTRVIgJ3t7bmFtZX19J0AnJScgSURFTlRJRklFRCBCWSAne3twYXNzd29yZH19JzsgR1JBTlQgU0VMRUNUIE9OIGBzaGFoZWRfYWJfdmF1bHRgLiogVE8gJ3t7bmFtZX19J0AnJSc7" \
  default_ttl='1h' max_ttl='24h'

vault read database/roles/shahed-ab-mariadb-academia
vault read database/creds/shahed-ab-mariadb-academia

Database » Redis

Token » Init

Token » Init

Init » Root

OTP Decode 
vault operator generate-root -init
:'
A One-Time-Password has been generated for you and is shown in the OTP field.
You will need this value to decode the resulting root token, so keep it safe.
Nonce         aea98c59-32f6-af94-ee89-d7344e9f0b37
Started       true
Progress      0/3
Complete      false
OTP           o4MnFIV3G4xUsibNjYkrOXhGrw2z
OTP Length    28
'

vault operator generate-root \
  -decode="ENCODED_TOKEN_HERE" \
  -otp="OTP_FROM_STEP_1_HERE"

vault operator generate-root \
  -decode="B0I+QHJ5N2ciBStgSy01BxktORl7OiAXFTJhHQ" \
  -otp="o4MnFIV3G4xUsibNjYkrOXhGrw2z"
:'
hvs.40aTe1S58DWIstRk4bHPgESg
'
Progress 1/3 Progress 2/3 
vault operator generate-root
:'
Operation nonce: aea98c59-32f6-af94-ee89-d7344e9f0b37
Unseal Key (will be hidden): 
Nonce       aea98c59-32f6-af94-ee89-d7344e9f0b37
Started     true
Progress    1/3
Complete    false
'

vault operator generate-root
:'
Operation nonce: aea98c59-32f6-af94-ee89-d7344e9f0b37
Unseal Key (will be hidden): 
Nonce       aea98c59-32f6-af94-ee89-d7344e9f0b37
Started     true
Progress    2/3
Complete    false
'
Progress 3/3 Status 
vault operator generate-root
:'
Operation nonce: aea98c59-32f6-af94-ee89-d7344e9f0b37
Unseal Key (will be hidden): 
Nonce            aea98c59-32f6-af94-ee89-d7344e9f0b37
Started          true
Progress         3/3
Complete         true
Encoded Token    B0I+QHJ5N2ciBStgSy01BxktORl7OiAXFTJhHQ
'

export VAULT_TOKEN='hvs.40aTe1S58DWIstRk4bHPgESg'
export VAULT_ADDR='https://vault.shahed.biz.ops'






vault status
vault list   auth/userpass/users

Playground

Playground 

echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 40)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 20)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 16)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c  8)"

vault auth    list
vault audit   list
vault policy  list
vault secrets list

vault operator init -key-shares=5 -key-threshold=3
vault token lookup
vault status

vault operator unseal '/bvRmLPLF8MnfOQQWrhdqAmLBSKfNtSSkcyWY/uXZ0+F'
vault operator unseal 'Jh5mA+DwX/zlU+3jvxlgNarSzAOBRHvNcF3QOoGtzl/h'
vault operator unseal 'DqUWoe6MN6oDKi3bYoZuXSbT0ZpT0/Pbg0kpTkhkUfVP'

# self destructive or dangerous
vault token revoke -self

References

References

Retrieved from "https://wiki.chorke.org/index.php?title=Vault&oldid=16279"