HashiCorp's Vault - The Examples
- 6. How to make secrets secure?
● encryption
● renewing
● revoking
- 7. How to make secrets secure?
● encryption
● renewing
● revoking
- 8. How to make secrets secure?
● encryption
● renewing
● revoking
- 9. How to make secrets secure?
● encryption
● renewing
● revoking
- 10. How to make secrets secure?
● encryption
● renewing
● revoking
- 14. Download Vault
# Download the 64bit binary
curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip"
# Download checksums and signature
curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_SHA256SUMS"
curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_SHA256SUMS.sig"
# Import the hashicorp public key
curl "https://keybase.io/hashicorp/pgp_keys.asc" | gpg --import
Sample link: https://releases.hashicorp.com/vault/0.6.4/
- 15. Download Vault
# Verify the signature file is untampered.
$ gpg2 --options $project_directory/.gnupg/gpg.conf
--verify "vault_${vault_version}_SHA256SUMS.sig" "vault_${vault_version}_SHA256SUMS"
# Verify the SHASUM matches the binary
$ cat "vault_${vault_version}_SHA256SUMS"
| grep "vault_${vault_version}_linux_amd64.zip"
| shasum -a 256 -c -
- 21. Vault development configuration
$ cat configuration/development.hcl
backend "file" {
path = "data"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
default_lease_ttl = "1h"
max_lease_ttl = "2h"
disable_mlock = true
- 29. Docker Compose Configuration
$ cat docker-compose.yml
---
version: '2'
services:
db:
image: "postgres:9.5.4"
hostname: db
env_file:
- .env.db
ports:
- "9191:5432"
- 30. Start PostgreSQL
$ docker-compose ps
Name Command State Ports
----------------------------------------------------------------------------
vault_db_1 /docker-entrypoint.sh postgres Up 0.0.0.0:9191->5432/tcp
$ docker-compose up -d
- 31. Mount the PostgreSQL backend
$ vault mount -path=postgresql-test
-default-lease-ttl=30m
-max-lease-ttl=12h
Postgresql
Successfully mounted 'postgresql' at 'postgresql-test'!
- 32. Verify the PostgreSQL backend
$ vault mounts | head -n1 && vault mounts | grep postgresql
Path Type Default TTL Max TTL Description
postgresql-test/ postgresql 1800 43200
- 33. Establish connection between
PostgreSQL and Vault
$ source .env.db
$ vault write postgresql-test/config/connection
connection_url="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@0.0.0.0:9191
/${POSTGRES_DB}?sslmode=disable"
- 34. Tell Vault how
to create PostgreSQL users
SQL query in readable format
CREATE ROLE "{{name}}" WITH LOGIN PASSWORD "{{password}}"
VALID UNTIL "{{expiration}}";
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
- 35. Tell Vault how
to create PostgreSQL users
$ vault write postgresql-test/roles/readonly
sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID
UNTIL '{{expiration}}';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";"
Success! Data written to: postgresql-test/roles/readonly
- 36. Generate user with password
$ vault read -format=json
postgresql-test/creds/readonly
| tee postgresql-user-credentials.json
| jq .
- 38. Connect to PostgreSQL
$ username=$(jq -r .data.username postgresql-user-credentials.json)
$ password=$(jq -r .data.password postgresql-user-credentials.json)
- 39. $ docker run --rm -it
--link=vault_db_1:db
--net vault_default
--env PGPASSWORD="${password}"
--env username="${username}"
--env POSTGRES_DB="${POSTGRES_DB}"
postgres:9.5.4 bash
> psql --host=db --username="${username}" "${POSTGRES_DB}"
Connect to PostgreSQL
- 40. > SELECT datname AS database,
usename AS user
FROM pg_stat_activity
WHERE state = 'active';
database | user
---------+-------------------------------------------
vault | root-45fb7d50-c99f-dd78-f3c5-e20b9636a300
(1 row)
user with password