Vault¶
Instructions¶
vault init -key-shares=1 -key-threshold=1 # Initialize Vault with 1 unseal key
vault seal # seal vault
vault unseal <key> # unseal vault
vault auth <root token> # authorize with a client token
vault write secret/<path> <key>=<value>
vault read -format=json secret/<path>
vault delete secret/<path>
# examples
vault write secret/hello value=world excited=yes
vault read -format=json secret/hello | jq -r .data.excited
vault mount generic # mount generic backend
aws # mount aws backend
-path=<path>
vault unmount generic/
vault mounts # show mounts
vault path-help aws # show help paths
vault path-help aws/creds/operator
Tokens¶
vault token-create
vault token-revoke <token_id>
vault auth <token_id>
Auth backend - https://www.vaultproject.io/intro/getting-started/authentication.html
AWS¶
vault mount aws
vault write aws/config/root access_key=<ACCESS_KEY> secret_key=<SECRET_KEY>
# file policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1426528957000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
]
}
]
}
vault write aws/roles/deploy policy=@policy.json
# generate credentials
vault read aws/creds/deploy # create IAM user with policy (show credentials)
vault revoke <lease_id> # purge access
Docker¶
https://hub.docker.com/_/vault/
# host1
vault server -dev
# host2
export VAULT_ADDR='http://127.0.0.1:8200'
Example policy¶
policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1426528957000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
]
}
]
}