Vault: Difference between revisions

Revision as of 16:21, 23 January 2026

curl -fsSL https://apt.releases.hashicorp.com/gpg\
 | sudo tee /etc/apt/keyrings/hashicorp.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << SRC | sudo tee /etc/apt/sources.list.d/hashicorp.list >/dev/null
deb [arch=$(dpkg --print-architecture)\
 signed-by=/etc/apt/keyrings/hashicorp.asc]\
 https://apt.releases.hashicorp.com ${DISTRIBUTION} main
SRC

cat <<'EXE' | sudo bash
apt-get update && apt-get install -y vault
systemctl disable --now vault.service
systemctl stop          vault.service
systemctl mask          vault.service
systemctl status        vault.service
vault version
which vault
EXE

export VAULT_TOKEN='hvs.40aTe1S58DWIstRk4bHPgESg'
export VAULT_ADDR='https://vault.shahed.biz.ops'
vault status

export VAULT_SKIP_VERIFY=true
export VAULT_FORMAT=yaml
vault login

Auth

# Enabled userpass auth method
vault auth enable userpass

# Enabled kubernetes auth method
vault auth enable kubernetes

Auth » Userpass
vault write auth/userpass/users/shahed password='sadaqah!' vault list auth/userpass/users unset VAULT_TOKEN	vault login -method=userpass username=shahed cat ~/.vault-token rm ~/.vault-token

Auth » Kubernetes

export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl get service kubernetes -n default
kubectl cluster-info

vault write auth/kubernetes/config \
  kubernetes_host='https://kubernetes.default.svc.cluster.local'

vault read  auth/kubernetes/config

Auth » Kubernetes » shahed-ab

cat ${HOME}/.kube/shahed-ab-kubeconfig.yaml \
 | yq -r '.clusters[0].cluster.certificate-authority-data'|base64 -d


export KUBECONFIG="${HOME}/.kube/shahed-ab-kubeconfig.yaml"
kubectl get --raw /.well-known/openid-configuration|yq -P
kubectl get service kubernetes -n default
kubectl cluster-info

vault auth enable -path='k8s/shahed/ab' kubernetes

cat ${HOME}/.kube/shahed-ab-kubeconfig.yaml \
 | yq -r '.clusters[0].cluster.certificate-authority-data'|base64 -d \
 | vault write auth/k8s/shahed/ab/config kubernetes_host='https://10.20.40.2:8443' \
   kubernetes_ca_cert=@/dev/stdin disable_local_ca_jwt='true'

vault read auth/k8s/shahed/ab/config

Skipped » Find More 👉 Vault » Engine » KV Skipped » Find More 👉 Vault » K8s » Config

Policy

Role

cat <<'INI' | vault policy write policy-shahed-ab -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI

vault policy read  policy-shahed-ab

vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n vault-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer

vault write auth/kubernetes/role/role-shahed-ab bound_service_account_names=default \
  bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab \
  audience='https://kubernetes.default.svc.cluster.local' ttl=24h

vault read  auth/kubernetes/role/role-shahed-ab

Policy

Role

cat <<'INI' | vault policy write policy-shahed-ab-eso -
# Mount : shahed/academia/dev
# Secret: audit
path "shahed/academia/dev/data/audit" {
  capabilities = ["read"]
}
INI

vault policy read  policy-shahed-ab-eso

vault kv get -mount=shahed/academia/dev audit
kubectl  get sa -n external-secrets-operator-system
kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer

vault write auth/kubernetes/role/role-shahed-ab-eso bound_service_account_names=default \
  bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-eso \
  audience='https://kubernetes.default.svc.cluster.local' ttl=24h

vault read  auth/kubernetes/role/role-shahed-ab-eso

vault auth disable userpass
vault auth list

vault auth disable k8s/shahed/ab
vault auth disable kubernetes

Engine » KV

KV » V1
Enable	Disable
vault secrets enable -path=chorke/academia/prod kv vault secrets enable -path=chorke/academia/uat kv vault secrets enable -path=chorke/academia/dev kv	vault secrets disable chorke/academia/prod vault secrets disable chorke/academia/uat vault secrets disable chorke/academia/dev
vault kv put chorke/academia/dev/mariadb username='academia' password='60NZ5sonTeHGAiXm' vault kv get -field=password chorke/academia/dev/mariadb vault kv get chorke/academia/dev/mariadb
vault secrets disable chorke/academia/dev vault kv get chorke/academia/dev/mariadb	vault secrets enable -path=chorke/academia/dev kv vault kv get chorke/academia/dev/mariadb

KV » V2
Enable	Disable
vault secrets enable -path=shahed/academia/prod kv-v2 vault secrets enable -path=shahed/academia/uat kv-v2 vault secrets enable -path=shahed/academia/dev kv-v2	vault secrets disable shahed/academia/prod vault secrets disable shahed/academia/uat vault secrets disable shahed/academia/dev
Create	Update
vault kv put shahed/academia/dev/pgsql username='academia' password='60NZ5sonTeHGAiXm' vault kv get -field=password shahed/academia/dev/pgsql vault kv get shahed/academia/dev/pgsql vault kv get -version 2 shahed/academia/dev/pgsql vault kv get -version 1 shahed/academia/dev/pgsql	vault kv put shahed/academia/dev/pgsql username='academia' password='26SJEnMWSjnXYrgs' vault kv delete -versions 2 shahed/academia/dev/pgsql vault kv get -field=password shahed/academia/dev/pgsql vault kv rollback -version 1 shahed/academia/dev/pgsql vault kv get -field=password shahed/academia/dev/pgsql
vault secrets disable shahed/academia/dev vault kv get shahed/academia/dev/pgsql	vault secrets enable -path=shahed/academia/dev kv-v2 vault kv get shahed/academia/dev/pgsql
Properties	Fetch
echo && \ yq -o=json <<'YML' \ \| vault kv put shahed/academia/dev/audit @/dev/stdin --- spring.datasource.url: jdbc:postgresql://192.168.49.1:5432/shahed_academia_dev spring.datasource.password: DHJuWrvIqhZjvAWl spring.datasource.username: academia spring.datasource.platform: postgres app.smtp.username: no-reply@shahed.biz app.smtp.password: 3gT5WOAg6Ob0tFjC app.smtp.alias: no-reply@chorke.org app.smtp.host: smtp.gmail.com YML	vault kv get shahed/academia/dev/audit vault kv get -field=app.smtp.password shahed/academia/dev/audit vault kv get -field=spring.datasource.password shahed/academia/dev/audit echo ;\ vault kv get -format=json shahed/academia/dev/audit \ \| jq -r '.data.data \|to_entries\|map(.key + "=" + .value)\|.[]' echo ;\ vault kv get -format=yaml shahed/academia/dev/audit \ \| yq -r '.data.data \|to_entries\|map(.key + "=" + .value)\|.[]'
Properties	Fetch
echo && \ yq -o=json <<'YML' \ \| jq -r 'to_entries\|map({key:(.key\|gsub("\\.";"_")\|ascii_upcase),value:.value})\|from_entries' \ \| vault kv put shahed/academia/dev/audit @/dev/stdin --- spring.datasource.url: jdbc:postgresql://192.168.49.1:5432/shahed_academia_dev spring.datasource.password: DHJuWrvIqhZjvAWl spring.datasource.username: academia spring.datasource.platform: postgres app.smtp.username: no-reply@shahed.biz app.smtp.password: 3gT5WOAg6Ob0tFjC app.smtp.alias: no-reply@chorke.org app.smtp.host: smtp.gmail.com YML	vault kv get shahed/academia/dev/audit vault kv get -field=APP_SMTP_PASSWORD shahed/academia/dev/audit vault kv get -field=SPRING_DATASOURCE_PASSWORD shahed/academia/dev/audit

KV » K8s
K8s » Secret
vault kv get -format=json shahed/academia/dev/audit \ \| jq -r '.data.data \|to_entries\|map(.key + "=" + .value)\|.[]' \ \| kubectl -n shahed-academia create secret generic academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml
vault kv get -format=json shahed/academia/dev/audit \ \| jq -r '.data.data \|to_entries\|map(.key + "=" + .value)\|.[]' \ \| kubectl -n shahed-academia create secret generic academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml \ \| yq '.metadata.labels += { "app.kubernetes.io/component": "secret-sync", "app.kubernetes.io/managed-by": "shahed-devops", "app.kubernetes.io/name": "vault-secrets-devops" }' \ \| kubectl apply -f -
K8s » ConfigMap
vault kv get -format=json shahed/academia/dev/audit \ \| jq -r '.data.data \|to_entries\|map(.key + "=" + .value)\|.[]' \ \| kubectl -n shahed-academia create configmap academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml
vault kv get -format=json shahed/academia/dev/audit \ \| jq -r '.data.data \| to_entries \| map(.key + "=" + .value) \| .[]' \ \| kubectl -n shahed-academia create configmap academia-audit --from-env-file=/dev/stdin --dry-run=client -o=yaml \ \| yq '.metadata.labels += { "app.kubernetes.io/component": "secret-sync", "app.kubernetes.io/managed-by": "shahed-devops", "app.kubernetes.io/name": "vault-secrets-devops" }' \ \| kubectl apply -f -

Skipped » Find More 👉 Vault » Auth Skipped » Find More 👉 Vault » K8s » Config

Engine » DB

# Enabled the database secrets engine
vault secrets enable database

Database » PostgreSQL

echo -n 'Password: ';read -s VAULT_PASSWORD;export VAULT_PASSWORD;echo
echo "${VAULT_PASSWORD}"

Password: sadaqah!

cat << DDL | sudo -i -u postgres psql
\! printf '\n'
SELECT 'CREATE DATABASE shahed_ab_vault' 
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'shahed_ab_vault')\gexec
CREATE USER shahed_ab_vault WITH ENCRYPTED PASSWORD '${VAULT_PASSWORD}';
GRANT ALL PRIVILEGES ON DATABASE shahed_ab_vault TO shahed_ab_vault;
ALTER DATABASE shahed_ab_vault OWNER TO shahed_ab_vault;
DDL

PostgreSQL » Setup
vault write database/config/shahed-ab-psql \ plugin_name='postgresql-database-plugin' allowed_roles='shahed-ab-psql-academia' \ connection_url='postgresql://{{username}}:{{password}}@192.168.49.1:5432/shahed_ab_vault' \ username='shahed_ab_vault' password='sadaqah!' \ password_authentication='scram-sha-256' vault read database/config/shahed-ab-psql
vault write database/roles/shahed-ab-psql-academia db_name="shahed-ab-psql" \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \ default_ttl="1h" \ max_ttl="24h" vault read database/roles/shahed-ab-psql-academia vault read database/creds/shahed-ab-psql-academia
vault read database/config/shahed-ab-psql vault read database/roles/shahed-ab-psql-academia vault read database/creds/shahed-ab-psql-academia	vault lease lookup database/creds/shahed-ab-psql-academia/ID vault lease renew database/creds/shahed-ab-psql-academia/ID vault lease revoke database/creds/shahed-ab-psql-academia/ID
vault delete database/roles/shahed-ab-psql-academia vault delete database/config/shahed-ab-psql

PostgreSQL » Static

vault write database/config/shahed-ab-psql \
  plugin_name='postgresql-database-plugin' allowed_roles='shahed-ab-psql-academia' \
  connection_url='postgresql://{{username}}:{{password}}@192.168.49.1:5432/shahed_ab_vault' \
  self_managed=true

vault read database/config/shahed-ab-psql

vault write database/static-roles/shahed-ab-psql-academia db_name="shahed-ab-psql" \
  username='shahed_ab_vault' self_managed_password='sadaqah!' \
  rotation_period='1h'

vault read database/static-roles/shahed-ab-psql-academia
vault read database/static-creds/shahed-ab-psql-academia

Database » MariaDB

echo -n 'Password: ';read -s VAULT_PASSWORD;export VAULT_PASSWORD;echo
echo "${VAULT_PASSWORD}"

Password: sadaqah!

cat << DDL | sudo -i -u root mariadb
CREATE DATABASE IF NOT EXISTS shahed_ab_vault;
CREATE USER 'shahed_ab_vault'@'%' IDENTIFIED BY '${VAULT_PASSWORD}';
GRANT ALL PRIVILEGES ON shahed_ab_vault.* TO 'shahed_ab_vault'@'%';
FLUSH PRIVILEGES;
DDL

MariaDB » Setup
vault write database/config/shahed-ab-mariadb \ plugin_name='mysql-database-plugin' allowed_roles='shahed-ab-mariadb-academia' \ connection_url="{{username}}:{{password}}@tcp(192.168.49.1:3306)/" \ username='shahed_ab_vault' password='sadaqah!' vault read database/config/shahed-ab-mariadb
vault write database/roles/shahed-ab-mariadb-academia db_name="shahed-ab-mariadb" \ creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON . TO '{{name}}'@'%';" \ default_ttl='1h' max_ttl='24h' vault read database/roles/shahed-ab-mariadb-academia vault read database/creds/shahed-ab-mariadb-academia
vault read database/config/shahed-ab-mariadb vault read database/roles/shahed-ab-mariadb-academia vault read database/creds/shahed-ab-mariadb-academia	vault lease lookup database/creds/shahed-ab-mariadb-academia/ID vault lease renew database/creds/shahed-ab-mariadb-academia/ID vault lease revoke database/creds/shahed-ab-mariadb-academia/ID
vault delete database/roles/shahed-ab-mariadb-academia vault delete database/config/shahed-ab-mariadb

MariaDB » Static

vault write database/config/shahed-ab-mariadb \
  plugin_name='mysql-database-plugin' allowed_roles='shahed-ab-mariadb-academia' \
  connection_url="{{username}}:{{password}}@tcp(192.168.49.1:3306)/" \
  root_rotation_statements="SET PASSWORD = PASSWORD('{{password}}')" \
  username='shahed_ab_vault' password='sadaqah!'

vault read database/config/shahed-ab-mariadb

vault write database/roles/shahed-ab-mariadb-academia db_name="shahed-ab-mariadb" \
  creation_statements="Q1JFQVRFIFVTRVIgJ3t7bmFtZX19J0AnJScgSURFTlRJRklFRCBCWSAne3twYXNzd29yZH19JzsgR1JBTlQgU0VMRUNUIE9OIGBzaGFoZWRfYWJfdmF1bHRgLiogVE8gJ3t7bmFtZX19J0AnJSc7" \
  default_ttl='1h' max_ttl='24h'

vault read database/roles/shahed-ab-mariadb-academia
vault read database/creds/shahed-ab-mariadb-academia

Database » Redis

Token » Init

Init » Root
OTP	Decode
vault operator generate-root -init :' A One-Time-Password has been generated for you and is shown in the OTP field. You will need this value to decode the resulting root token, so keep it safe. Nonce aea98c59-32f6-af94-ee89-d7344e9f0b37 Started true Progress 0/3 Complete false OTP o4MnFIV3G4xUsibNjYkrOXhGrw2z OTP Length 28 '	vault operator generate-root \ -decode="ENCODED_TOKEN_HERE" \ -otp="OTP_FROM_STEP_1_HERE" vault operator generate-root \ -decode="B0I+QHJ5N2ciBStgSy01BxktORl7OiAXFTJhHQ" \ -otp="o4MnFIV3G4xUsibNjYkrOXhGrw2z" :' hvs.40aTe1S58DWIstRk4bHPgESg '
Progress 1/3	Progress 2/3
vault operator generate-root :' Operation nonce: aea98c59-32f6-af94-ee89-d7344e9f0b37 Unseal Key (will be hidden): Nonce aea98c59-32f6-af94-ee89-d7344e9f0b37 Started true Progress 1/3 Complete false '	vault operator generate-root :' Operation nonce: aea98c59-32f6-af94-ee89-d7344e9f0b37 Unseal Key (will be hidden): Nonce aea98c59-32f6-af94-ee89-d7344e9f0b37 Started true Progress 2/3 Complete false '
Progress 3/3	Status
vault operator generate-root :' Operation nonce: aea98c59-32f6-af94-ee89-d7344e9f0b37 Unseal Key (will be hidden): Nonce aea98c59-32f6-af94-ee89-d7344e9f0b37 Started true Progress 3/3 Complete true Encoded Token B0I+QHJ5N2ciBStgSy01BxktORl7OiAXFTJhHQ '	export VAULT_TOKEN='hvs.40aTe1S58DWIstRk4bHPgESg' export VAULT_ADDR='https://vault.shahed.biz.ops' vault status vault list auth/userpass/users

Playground

echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 40)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 20)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c 16)"
echo "$(cat /dev/urandom|tr -dc 'A-Za-z0-9'|head -c  8)"

vault auth    list
vault audit   list
vault policy  list
vault secrets list

vault operator init -key-shares=5 -key-threshold=3
vault token lookup
vault status

vault operator unseal '/bvRmLPLF8MnfOQQWrhdqAmLBSKfNtSSkcyWY/uXZ0+F'
vault operator unseal 'Jh5mA+DwX/zlU+3jvxlgNarSzAOBRHvNcF3QOoGtzl/h'
vault operator unseal 'DqUWoe6MN6oDKi3bYoZuXSbT0ZpT0/Pbg0kpTkhkUfVP'

# self destructive or dangerous
vault token revoke -self

References

References
Vault » Docs » Secrets management Vault » Helm » Secrets Operator Vault » Docs » Build your CA Vault » Docs » Cheatsheet Vault » Docs » Monitoring Vault » Docs » How Vault » Docs » Why Vault » Install Vault » Helm	Vault » Engine » Databases » PostgreSQL Vault » Engine » Databases » MariaDB Vault » Engine » Databases » Redis Vault » Engine » Databases Vault » Properties To YAML
K8s » CSI Hostpath Driver K8s » Swiss Knife K8s » Storage K8s » Ingress K8s » Service K8s » Secret K8s » Run MinIO CIDR UFW	Security » HTTP » Basic Authentication Security » OpenLDAP » BackSQL Security » `makepasswd` » SCM Security » `makepasswd` Security » Certificate Security » ZA Proxy Security » Domain Security » Spring Security » HTTP Security » Java	Security » SSH » Public Key Authentication Security » Container » Snyk Security » Container » Trivy Security » Certificate » TLS Security » Wireshark Security » Password Security » Jasypt
Kubernetes Multipass Minikube Podman Vagrant Docker Qemu Helm K9s K8s	Terraform Proxmox Kubectl Ansible LXC Git

@@ Line 162: / Line 162: @@
 !scope='col'| Policy
 !scope='col'| Role
+|-
 |-
 |valign='top'|
@@ Line 172: / Line 173: @@
 }
 INI
 vault policy read  policy-shahed-ab-eso
@@ Line 183: / Line 183: @@
 kubectl  get --raw /.well-known/openid-configuration|yq -P .issuer
-vault write auth/kubernetes/role/role-shahed-ab-eso bound_service_account_names=eso \
+vault write auth/kubernetes/role/role-shahed-ab-eso bound_service_account_names=default \
-   bound_service_account_namespaces=external-secrets-operator-system \
+   bound_service_account_namespaces=shahed-academia policies=policy-shahed-ab-eso \
-  policies=policy-shahed-ab-eso \
    audience='https://kubernetes.default.svc.cluster.local' ttl=24h

Vault: Difference between revisions

Revision as of 16:21, 23 January 2026

Contents

Auth

Engine » KV

Engine » DB

Token » Init

Playground

References

Navigation menu

Vault: Difference between revisions

Revision as of 16:21, 23 January 2026

Auth

Engine » KV

Engine » DB

Token » Init

Playground

References

Navigation menu

Search