HashiCorp's Vault - The Examples
•
9 likes•3,252 views
Get an overview of HashiCorp's Vault concepts. Learn how to start a Vault server. Learn how to use the Vault's postgresql backend. See an overview of the Vault's SSH backend integration. This presentation was held on the DigitalOcean Meetup in Berlin. Find more details here: https://www.meetup.com/DigitalOceanBerlin/events/237123195/
Report
Share
HashiCorp's Vault - The Examples
- 2. Introduction
- 5. Vault is a "simple" HTTP service
- 6. How to make secrets secure? ● encryption ● renewing ● revoking
- 7. How to make secrets secure? ● encryption ● renewing ● revoking
- 8. How to make secrets secure? ● encryption ● renewing ● revoking
- 9. How to make secrets secure? ● encryption ● renewing ● revoking
- 10. How to make secrets secure? ● encryption ● renewing ● revoking
- 11. "Install" Vault
- 12. Do you know PGP? keybase.io?
- 14. Download Vault # Download the 64bit binary curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip" # Download checksums and signature curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_SHA256SUMS" curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_SHA256SUMS.sig" # Import the hashicorp public key curl "https://keybase.io/hashicorp/pgp_keys.asc" | gpg --import Sample link: https://releases.hashicorp.com/vault/0.6.4/
- 15. Download Vault # Verify the signature file is untampered. $ gpg2 --options $project_directory/.gnupg/gpg.conf --verify "vault_${vault_version}_SHA256SUMS.sig" "vault_${vault_version}_SHA256SUMS" # Verify the SHASUM matches the binary $ cat "vault_${vault_version}_SHA256SUMS" | grep "vault_${vault_version}_linux_amd64.zip" | shasum -a 256 -c -
- 16. Download Vault # Install Vault $ unzip "vault_${vault_version}_linux_amd64.zip"
- 17. Download Vault $ ./scripts/vault version Vault v0.6.4 ('f4adc7fa960ed8e828f94bc6785bcdbae8d1b263')
- 18. Add Vault to $PATH $ export PATH=$PATH:$PWD/scripts
- 19. Boot Vault
- 21. Vault development configuration $ cat configuration/development.hcl backend "file" { path = "data" } listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } default_lease_ttl = "1h" max_lease_ttl = "2h" disable_mlock = true
- 22. Start Vault Server $ vault server -config=$PWD/configuration/development.hcl
- 23. Initialize Vault $ vault init -key-shares=1 -key-threshold=1
- 24. Unseal Vault Server $ vault unseal 4e02850adda5af588e290592d11d323fa1ce...
- 28. Docker Compose Configuration $ cat .env.db POSTGRES_USER=vault POSTGRES_PASSWORD=vault POSTGRES_DB=vault
- 29. Docker Compose Configuration $ cat docker-compose.yml --- version: '2' services: db: image: "postgres:9.5.4" hostname: db env_file: - .env.db ports: - "9191:5432"
- 30. Start PostgreSQL $ docker-compose ps Name Command State Ports ---------------------------------------------------------------------------- vault_db_1 /docker-entrypoint.sh postgres Up 0.0.0.0:9191->5432/tcp $ docker-compose up -d
- 31. Mount the PostgreSQL backend $ vault mount -path=postgresql-test -default-lease-ttl=30m -max-lease-ttl=12h Postgresql Successfully mounted 'postgresql' at 'postgresql-test'!
- 32. Verify the PostgreSQL backend $ vault mounts | head -n1 && vault mounts | grep postgresql Path Type Default TTL Max TTL Description postgresql-test/ postgresql 1800 43200
- 33. Establish connection between PostgreSQL and Vault $ source .env.db $ vault write postgresql-test/config/connection connection_url="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@0.0.0.0:9191 /${POSTGRES_DB}?sslmode=disable"
- 34. Tell Vault how to create PostgreSQL users SQL query in readable format CREATE ROLE "{{name}}" WITH LOGIN PASSWORD "{{password}}" VALID UNTIL "{{expiration}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
- 35. Tell Vault how to create PostgreSQL users $ vault write postgresql-test/roles/readonly sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";" Success! Data written to: postgresql-test/roles/readonly
- 36. Generate user with password $ vault read -format=json postgresql-test/creds/readonly | tee postgresql-user-credentials.json | jq .
- 37. { "request_id": "b02b0a7f-9ea1-34f0-59fb-b25015114f5c", "lease_id": "postgresql-test/creds/readonly/40ff9937-8e6b-41c4-26c4-67e5c2be3024", "lease_duration": 3600, "renewable": true, "data": { "password": "130a6869-9e1a-94aa-c4ce-88bd5d7cc93e", "username": "root-42e196da-4b70-47cd-cc72-01fd791cdd84" }, "warnings": null } user with password - result
- 38. Connect to PostgreSQL $ username=$(jq -r .data.username postgresql-user-credentials.json) $ password=$(jq -r .data.password postgresql-user-credentials.json)
- 39. $ docker run --rm -it --link=vault_db_1:db --net vault_default --env PGPASSWORD="${password}" --env username="${username}" --env POSTGRES_DB="${POSTGRES_DB}" postgres:9.5.4 bash > psql --host=db --username="${username}" "${POSTGRES_DB}" Connect to PostgreSQL
- 40. > SELECT datname AS database, usename AS user FROM pg_stat_activity WHERE state = 'active'; database | user ---------+------------------------------------------- vault | root-45fb7d50-c99f-dd78-f3c5-e20b9636a300 (1 row) user with password
- 41. SSH Backend
- 42. Overview