启用KV机密引擎
#启用多版本
$ vault secrets enable -path=kv kv-v2
或
$ vault kv enable-versioning kv/
注:启用多版本后,配置policy和接口调用读写时,path需以【kv/data/】为前缀,否则只有【kv/】
ACL Policy配置
1. default policy
# Allow all app to read RSA public key
path "kv/data/rsa/public/*" {
capabilities=["read"]
}
2.应用私有policy
示例:user应用policy
# Allow app to read own RSA private key
path "kv/data/rsa/private/user" {
capabilities = ["read"]
}
示例:devops应用policy (可以读写所有应用公私钥)
path "kv/data/rsa/public/*" {
capabilities = ["create", "update","read","delete","list"]
}
path "kv/data/rsa/private/*" {
capabilities = ["create", "update","read","delete","list"]
}
vault客户端调用
- vault cli 调用 path无需/data
- java sdk 调用 path需/data
#1.读数据: version为空或0,读取默认版本 (返回版本号)
VaultResponse response=vaultApiTemplate.read(path,version);
#2.写数据:
Map<String,String> map=new HashMap<>();
map.put("key","123456");
VaultResponse response=vaultApiTemplate.write(path,map);
网友评论