brew tap hashicorp/tap
brew install hashicorp/tap/vault
vault version
vault status
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=vault_token
vault server -dev
vault login
vault login -address="http://127.0.0.1:8200" $root_token
vault login -method=userpass username=admin
- remove
~/.vault_token
vault token revoke s.iyNUhq8Ov4hIAx6snw5mB2nL
vault token revoke -mode path auth/github
vault token create
vault auth list
vault auth disable github
vault auth tune -description="Globomantics Userpass" userpass/
vault auth enable userpass #enable
vault write auth/userpass/users/ned password=tacos policies="test" # create user
vault write auth/userpass/users/adam role_name="webapp" secret_id_num_uses=1 secret_id_ttl=2h # create user
# Read-only permission on 'secret/data/mysql/*' path
path "secret/data/mysql/*" {
capabilities = [ "read", "update" ]
}
vault auth enable approle # enable
vault policy write jenkins jenkins-pol.hcl
vault write auth/approle/role/jenkins token_policies="jenkins" token_ttl=1h token_max_ttl=4h
vault read auth/approle/role/jenkins # Read to verify
vault read auth/approle/role/jenkins/role-id # Get role ID
vault write -f auth/approle/role/jenkins/secret-id # Get secret ID
vault write auth/approle/login role_id="ROLE_ID" secret_id="SECRET_ID" # Login using AppRole
vault write -wrap-ttl=60s -f auth/approle/role/jenkins/secret-id
VAULT_TOKEN=s.2kAzCgg1kN7vdpE1xxZxzpug vault unwrap
- Use limit tokens: Tokens that are only good to invoke a specific number of operations.
vault token create -ttl=1h -use-limit=2 -policy=default
- Periodic service tokens: Tokens that can be renewed indefinitely.
vault token create -policy="default" -period=24h
- Short-lived tokens: Tokens that are valid for a short time to avoid keeping unused tokens.
vault token create -ttl=60s
- Orphan tokens: Tokens that are root of their own token tree.
vault token create -orphan
- Batch tokens: not persisted, lightweight and scalable token. They are encrypted binary large objects (blobs) that carry enough information for them to be used for Vault actions.
vault token create -type=batch -policy=test -ttl=20m
- refer to Service Tokens vs. Batch Tokens
vault write auth/token/roles/zabbix \
allowed_policies="policy1, policy2, policy3" \
orphan=true \
period=8h
vault token create -role=zabbix
vault token renew $TOKEN
vault token renew -increment=60 $TOKEN # Renew and extend the token's TTL to 60 seconds
vault token lookup $TOKEN
Subcommands:
disable Disable a secret engine
enable Enable a secrets engine
list List enabled secrets engines
move Move a secrets engine to a new path
tune Tune a secrets engine configuration
- By default, Vault enables Key/Value version2 secrets engine (kv-v2) at the path secret/ when running in dev mode.
vault secrets enable -path=kv kv
vault secrets enable kv
vault secrets enable -version=2 kv
vault secrets list
vault secrets list -detailed
vault kv put secret/key1 some=42
vault kv put secret/hello foo=world excited=yes
vault kv get -format=json secret/hello | jq -r .data.data.excited
vault kv get -version=1 secret/hello
vault kv get secret/key1
vault kv get -field=excited secret/hello
vault kv delete secret/key1
vault kv undelete -versions=2 secret/key1
vault kv destroy -versions=1,2 secret/key1
vault kv metadata delete secret/key1
vault secrets disable kv/
vault secrets move dev prod
vault kv enable-versioning dev-secrets
vault secrets enable database
mysql -u root -p
CREATE ROLE 'dev-role';
CREATE USER 'vault'@'<YourPublicIP>' IDENTIFIED BY 'AsYcUdOP426i';
CREATE DATABASE devdb;
GRANT ALL ON *.* TO 'vault'@'<YourPublicIP>';
GRANT GRANT OPTION ON devdb.* TO 'vault'@'<YourPublicIP>';
vault write database/config/dev-mysql-database \
plugin_name=mysql-database-plugin \
connection_url="{{username}}:{{password}}@tcp(MY_SQL_IP:3306)/" \
allowed_roles="dev-role" \
username="vault" \
password="password"
vault write database/roles/dev-role \
db_name=dev-mysql-database \
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT ALL ON devdb.* TO '{{name}}'@'%';" \
default_ttl="1h" \
max_ttl="24h"
vault read database/creds/dev-role
vault lease renew -increment=3600 database/creds/dev-role/LEASE_ID
vault lease revoke database/creds/dev-role/LEASE_ID
vault secrets enable -path=aws aws
- option 1
export AWS_ACCESS_KEY_ID=<aws_access_key_id>
export AWS_SECRET_ACCESS_KEY=<aws_secret_key>
- option 2
vault write aws/config/root \
access_key=$AWS_ACCESS_KEY_ID \
secret_key=$AWS_SECRET_ACCESS_KEY \
region=us-east-1
vault write aws/roles/my-role \
credential_type=iam_user \
policy_document=-<<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1426528957000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
]
}
]
}
EOF
vault read aws/creds/my-role
# Policy example
# Manage secrets engines
path "sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secrets engines.
path "sys/mounts" {
capabilities = ["read"]
}
# Deny access to privileged financial data
path "financial/data/apitokens/privleged*" {
capabilities = ["deny"]
}
path "financial/metadata/apitokens/privileged*" {
capabilities = ["deny"]
}
vault policy list
vault policy write secrets-mgmt secrets-mgmt.hcl
vault policy read secrets-mgmt
vault policy write accounting accounting-revised.hcl
vault policy delete accounting