美文网首页
【vault】常见命令

【vault】常见命令

作者: 不务正业的coder | 来源:发表于2021-03-22 14:36 被阅读0次

    启动vault Server

    vault server -dev
    export VAULT_ADDR='http://127.0.0.1:8200'
    export VAULT_TOKEN="s.XmpNPoi9sRhYtdKHaQhkHP6x"
    

    启用kv机密机密引擎

    vault secrets enable -path=kv
    #支持多版本
     (1)vault secrets enable -path=kv kv-v2
     (2)vault kv enable-versioning kv/
    

    查看机密引擎列表

    ➜  ~ vault secrets list
    Path          Type         Accessor              Description
    ----          ----         --------              -----------
    cubbyhole/    cubbyhole    cubbyhole_b6b3c999    per-token private secret storage
    identity/     identity     identity_cd676d4a     identity store
    kv/           kv           kv_b591ce58           n/a
    secret/       kv           kv_e95dfadc           key/value secret storage
    sys/          system       system_69354e39       system endpoints used for control, policy and debugging
    

    写数据KV

    ➜  ~ vault kv put kv/data/rsa/public/card key=333
    Key              Value
    ---              -----
    created_time     2021-03-18T09:31:09.268356Z
    deletion_time    n/a
    destroyed        false
    version          1
    

    读数据KV

    ➜  ~ vault kv get kv/data/rsa/public/card
    ====== Metadata ======
    Key              Value
    ---              -----
    created_time     2021-03-18T09:31:09.268356Z
    deletion_time    n/a
    destroyed        false
    version          1
    
    === Data ===
    Key    Value
    ---    -----
    

    创建 ACL Policy

    #本地文件读取policy配置文件
    ➜ ~ vault policy write guardplus ~/tmp/guardplus.hcl
    

    查看policy list

    ➜  ~ vault policy list
    default
    guardplus
    registryplus
    swaggerplus
    root
    

    查看policy 详情

    ➜  ~ vault policy read swaggerplus
    path "kv/data/rsa/private/swaggerplus" {
      capabilities=["read"]
    }
    ➜  ~
    

    基于policy创建token

    ➜  ~ vault token create -policy=guardplus
    Key                  Value
    ---                  -----
    token                s.PvPiW1awHXpdoqMbnaLpmyzw
    token_accessor       IpUqjNnbggTe71nKozPda7zK
    token_duration       768h
    token_renewable      true
    token_policies       ["default" "guardplus"]
    identity_policies    []
    policies             ["default" "guardplus"]
    # 通过token写数据
    ➜  ~ VAULT_TOKEN=s.PvPiW1awHXpdoqMbnaLpmyzw> 
    vault kv put kv/creds password="my-long-password"
    

    查看auth method 列表

    ➜  ~ vault auth list
    Path        Type       Accessor                 Description
    ----        ----       --------                 -----------
    approle/    approle    auth_approle_aecb2c85    n/a
    token/      token      auth_token_ead59e09      token based credentials
    ➜  ~
    

    启用approle引擎

    ➜ ~ vault auth enable approle
    

    为应用创建role

    #role_name为应用名
    ➜  ~ vault write auth/approle/role/guardplus \
    bind_secret_id=true \
    secret_id_num_uses=0 \
    token_num_uses=100 \
    token_ttl=10m \
    token_max_ttl=10m \
    policies=guardplus
    Success! Data written to: auth/approle/role/guardplus
    

    查询roleId

    ➜  ~ vault read auth/approle/role/guardplus/role-id
    Key        Value
    ---        -----
    role_id    9dd81570-7e2d-9cd3-8352-217316ac8b17
    

    创建secretId

    # role必须存在,否则报错
    ➜  ~ vault write -f auth/approle/role/guardplus/secret-id
    
    Key                   Value
    ---                   -----
    secret_id             6423ddff-59c8-0852-8e8b-b5589c7f6b59
    secret_id_accessor    e9f2dfa8-18c1-e4e5-730b-f357dc642e8c
    

    将roleId和sercretId写入环境变量

    ➜ ~ export ROLE_ID="$(vault read -field=role_id auth/approle/role/guardplus/role-id)"
    
    ➜ ~ export SECRET_ID="$(vault write -f -field=secret_id auth/approle/role/guardplus/secret-id)"
    
    # 添加到login中
    ➜ ~ vault write auth/approle/login role_id="$ROLE_ID" secret_id="$SECRET_ID"
    

    查看vault token的 默认过期时间

    ➜  ~ vault read sys/auth/token/tune
    Key                  Value
    ---                  -----
    default_lease_ttl    768h
    description          token based credentials
    force_no_cache       false
    max_lease_ttl        768h
    token_type           default-service
    
    

    默认32天,可以被覆盖。

    ➜  ~ vault write sys/auth/token/tune default_lease_ttl=700h max_lease_ttl=720h
    
    Success! Data written to: sys/auth/token/tune
    ➜  ~ vault read sys/auth/token/tune
    Key                  Value
    ---                  -----
    default_lease_ttl    700h
    description          token based credentials
    force_no_cache       false
    max_lease_ttl        720h
    token_type           default-service
    ➜  ~
    

    统计token数量

    vault read sys/internal/counters/tokens
    

    父令牌和子令牌的区别:

    每个令牌都有自己的生命周期,如父令牌1h,子令牌3h,这时,父令牌在1个小时候过期,子令牌也会被过期,尽管它还有2个小时。

    token TTL和Max TTL区别

    token若支持续签,则续签的时间最大允许超过max ttl。若超过则无法继续续签

    相关文章

      网友评论

          本文标题:【vault】常见命令

          本文链接:https://www.haomeiwen.com/subject/lkjpcltx.html