vault简介
安装
在centos上安装
$ sudo yum install -y yum-utils
$ sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
$ sudo yum -y install vault在ubuntu上安装
$ sudo apt update && sudo apt install gpg
$ wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg >/dev/null
$ gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
$ echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vaultmac上安装
$ brew tap hashicorp/tap
$ brew install hashicorp/tap/vault
$ brew upgrade hashicorp/tap/vault # 升级windows上安装
choco install vault测试环境启动vault服务
这种用法仅限于测试环境,生产环境后面我们在说
开发模式启动
$ vault server -dev
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variables:
$ export VAULT_ADDR='http://127.0.0.1:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: 910jSSp6agJyY0RNm2QnamUtv3IZNcdJp0DejDE3OvI=
Root Token: hvs.Wlq6tyxrx2kS5IQSJI1F7b1l !!!!!重要重要重要!!!!!
Development mode should NOT be used in production installations!
$ export VAULT_ADDR='http://127.0.0.1:8200' # 把vault服务地址写入环境变量
$ export VAULT_TOKEN='hvs.Wlq6tyxrx2kS5IQSJI1F7b1l' # 把root token写入环境变量可以开始测试vault了
这里我们先使用简单的kv引擎,kv存储引擎会以明文方式把信息放在内存里。vault还支持其他的secrets engine,后面再说。
写入信息
$ vault kv put -mount=secret hello foo=world # 向hello写入一个kv foo=world
== Secret Path ==
secret/data/hello
======= Metadata =======
Key Value
--- -----
created_time 2023-01-04T05:39:57.252132156Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
$ vault kv put -mount=secret hello foo=world excited=yes # 一次写入多个
== Secret Path ==
secret/data/hello
======= Metadata =======
Key Value
--- -----
created_time 2023-01-04T05:47:08.162563361Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 2读取信息
$ vault kv get -mount=secret hello # 读取
== Secret Path ==
secret/data/hello
======= Metadata =======
Key Value
--- -----
created_time 2023-01-04T05:47:08.162563361Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 2
===== Data =====
Key Value
--- -----
excited yes
foo world
$ vault kv get -mount=secret -field=excited hello # 读取excited
yes
$ vault kv get -mount=secret -field=foo hello # 读取foo
world删除信息
$ vault kv delete -mount=secret hello # 删除
Success! Data deleted (if it existed) at: secret/data/hello恢复删除的信息
$ vault kv undelete -mount=secret -versions=2 hello # 恢复删除的数据
Success! Data written to: secret/undelete/hello
$ vault kv get -mount=secret hello #读取
== Secret Path ==
secret/data/hello
======= Metadata =======
Key Value
--- -----
created_time 2023-01-04T05:47:08.162563361Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 2
===== Data =====
Key Value
--- -----
excited yes
foo worldsecrets存储引擎
启用secrets engine
$ vault secrets enable -path=kv kv
Success! Enabled the kv secrets engine at: kv/查看secrets engine
$ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_4a6f3187 per-token private secret storage
identity/ identity identity_b7f7c47e identity store
kv/ kv kv_886c0760 n/a
secret/ kv kv_90394201 key/value secret storage
sys/ system system_1b527783 system endpoints used for control, policy and debugging写入信息
$ vault kv put kv/hello target=world
Success! Data written to: kv/hello
$ vault kv put kv/my-secret value="s3c(eT"
Success! Data written to: kv/hello读取
$ vault kv get kv/my-secret
==== Data ====
Key Value
--- -----
value s3c(eT删除
$ vault kv delete kv/my-secret
Success! Data deleted (if it existed) at: kv/my-secret关闭secret engine
$ vault secrets disable kv/
Success! Disabled the secrets engine (if it existed) at: kv/dynamic secrets
可以使用aws存储密码信息,vault远程读取。需要了解请参考官方文档。https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets
安全认证
这里主要有两种认证方式
- token认证
- github credentials认证
本文只关注token认证方式,需要了解github credential方式的,参考官方文档。https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-authentication
token认证方式默认出狱开启状态,dev模式启动vault时候,他会显示root token信息。vault命令行会从环境变量$VAULT_TOKEN中读取root token完成授权。因此,需要设置环境变量
$ export VAULT_TOKEN='hvs.Wlq6tyxrx2kS5IQSJI1F7b1l' # 把root token写入环境变量创建新的token
$ vault token create
Key Value
--- -----
token hvs.AH1OvBNx2EG76sp3OiIJq43Z
token_accessor Rf4yUJ16Q8nEUuTJsS7Z4zXQ
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]使用新token登录
$ unset VAULT_TOKEN # 注销掉之前的root token
$ vault login
Token (will be hidden): #此处输入上面的tokenhvs.AH1OvBNx2EG76sp3OiIJq43Z
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.AH1OvBNx2EG76sp3OiIJq43Z
token_accessor Rf4yUJ16Q8nEUuTJsS7Z4zXQ
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]注销token
$ vault token revoke hvs.AH1OvBNx2EG76sp3OiIJq43Z
Success! Revoked token (if it existed)生产环境部署vault
先取消VAULT_TOKEN
$ unset VAULT_TOKENvault配置文件config.hcl,内容
storage "raft" {
path = "./vault/data"
node_id = "node1"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = "true"
}
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
ui = true配置文件解释
- storage:指定vault存储的物理后端。dev模式服务使用inmem后端,这里我们使用raft后端,更佳适用于生产环境
- listener:监听地址,用于处理api请求。这里使用http://127.0.0.1:8200,我们只要设置环境变量
VAULT_ADDR=http://127.0.0.1:8200,vault客户端就可以连接了 - api_addr:指定处理客户请求的地址
- cluster_addr:指定vault node之间通信的地址和端口
启动服务
$ mkdir -p ./vault/data # 创建数据目录
$ vault server -config=config.hcl