地方在住IT系ニート

bkds

Vaultのメモ

Vaultのインストール

Vaultのインストールは、公式手順を参照に実施します。

# gpgのダウンロード
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg

# gpgの登録
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list

# vaultのインストール
sudo apt update && sudo apt install vault

Vaultの設定

config.hclを作成

storage "file" {
        path = "vault-data"
}

listener "tcp" {
        address = "10.10.10.10:8200"
        tls_disable = "true"
}

api_addr = "http://10.10.10.10:8200"
ui = true

Vaultの起動

# サーバの起動
vault server -config=config.hcl

# vaultの初期化
vault operator init

keyの保存

Unseal Key 1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Unseal Key 2: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Unseal Key 3: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
Unseal Key 4: dddddddddddddddddddddddddddddddddddddddddddd
Unseal Key 5: llllllllllllllllllllllllllllllllllllllllllll

Initial Root Token: hvs.uuuuuuuuuuuuuuuuuuuuuuuu

vaultのキー追加

# Vaultのunsealで利用可能な状態にする
vault operator unseal

# ログイン
vault login

# key-value v2型のsecretを作成する
vault secrets enable -path=secret kv-v2

# 確認
vault secrets list
--
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_rrrrrrrr    per-token private secret storage
identity/     identity     identity_iiiiiiii     identity store
secret/       kv           kv_gggggggg           n/a
sys/          system       system_hhhhhhhh       system endpoints used for control, policy and debugging
--

# 追加
vault kv put -mount=secret money [email protected] password=fdfasfsfafsf

# 確認
vault kv get secret/money

policyの追加

vault policy write app-policy - << EOF
path "secret/data/*" {
  capabilities = ["read"]
}
EOF

# 確認
vault policy read app-policy

approleの追加

# approleの有効化
vault auth enable approle

# approleを追加し、ポリシーを有効化
vault write auth/approle/role/go-app policies="app-policy"

# roleの確認
vault list auth/approle/role

# role idの確認
vault read auth/approle/role/go-app/role-id
--
Key        Value
---        -----
role_id    xxxxxxxx-yyyy-zzzz-aaaa-jjjjjjjj
--

# secret idの確認
vault write -f auth/approle/role/go-app/secret-id
--
Key                   Value
---                   -----
secret_id             tttttttt-aaaa-ssss-ffff-jjjjjjjjjjjj
secret_id_accessor    aaaaaaaa-vvvv-bbbb-nnnn-qqqqqqqqqqqq
secret_id_num_uses    0
secret_id_ttl         0s
--

更新

vault write auth/approle/role/go-app/ secret_id_bound_cidrs="10.10.10.10/16"

vault read auth/approle/role/go-app
--
Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
policies                   [app-policy]
secret_id_bound_cidrs      [10.10.10.10/16]
secret_id_num_uses         0
secret_id_ttl              0s
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [app-policy]
token_ttl                  0s
token_type                 default
--
<-- Back to home
にほんブログ村 IT技術ブログ IT技術メモへPVアクセスランキング にほんブログ村