Vault常见操作
Hashicorp Vault 是一个基于身份的秘密和加密管理系统,用于严格控制访问各种机密数据,如 API 加密密钥、密码和证书。以下是 Vault 的一些常见使用操作。
Login
plaintext
1 | $ export VAULT_ADDR='http://your-vault-address:8200' |
Secret操作
- secret引擎
KV - Path
region/cluster/project/application - Key
devops-api - field
k-name - value
k-value
查看权限
plaintext1
$ vault token lookup
新建kv
plaintext1
2
3
4
5$ vault secrets enable \
-path=/git-av \
-description "k/v engine for the quickstart guide" \
-version=1 \
kv查看所有secrets
plaintext1
$ vault secrets list
创建或者更新key
plaintext1
$ vault kv put git-av/devops-api/k8s-test/test a=b
list
plaintext1
$ vault kv list git-av/devops-api/k8s-test/
添加字段
plaintext1
$ vault kv patch git-av/devops-api/k8s-test/test d=b
删除字段
plaintext1
$ vault kv patch git-av/devops-api/k8s-test/test d=null
查看key的内容
plaintext1
$ vault kv get git-av/devops-api/k8s-test/test
删除key
plaintext1
2$ vault kv delete git-av/devops-api/k8s-test/test
$ vault kv metadata delete git-av/kratos-api/k8s-test/test删除kv secret
plaintext1
$ vault secrets disable git-av
查看版本列表
plaintext1
$ vault kv metadata get git-av/devops-api/k8s-test/test
回滚到指定版本
plaintext1
$ vault kv rollback -version 6 git-av/devops-api/k8s-test/test
权限管理
创建policy
plaintext1
2
3
4
5
6
7
8
9$ vault policy write jenkins-policy - <<EOF
path "global/services/app/prod/kv/*" {
capabilities = ["read"]
}
path "global/services/app/stage/kv/*" {
capabilities = ["read"]
}
EOFpolicy中的path指的是key路径
查看 policy
plaintext1
$ vault policy read jenkins-policy
查看role
plaintext1
2
3
4$ vault auth list
$ vault list auth/approle/role
$ vault read auth/approle/role/jenkins
$ vault read auth/approle/role/jenkins/role-id更新role key
plaintext1
$ vault write -f auth/approle/role/devops-readonly/secret-id
创建app role for jenkins
5.1 enable approleplaintext1
$ vault auth enable approle
5.2 policy
plaintext
1 | $ vault policy write jenkins-policy - <<EOF |
5.3 add approle
plaintext
1 | $vault write auth/approle/role/jenkins \ |
当 secret_id_ttl=0s,secret_id_num_uses=0 时表示secret 永不过期
5.4 更新secret_id_num_uses字段
plaintext
1 | vault write auth/approle/role/jenkins \ |
5.5 get key/secret
vault read auth/approle/role/jenkins/role-id
vault write -f auth/approle/role/jenkins/secret-id
5.6 login with approle
plaintext
1 | vault write auth/approle/login \ |
服务管理
- vault初始化plaintext
1
$ vault operator init
- 封锁plaintext
1
vault operator seal
- 解封plaintext
1
2
3vault operator unseal <key1>
vault operator unseal <key2>
vault operator unseal <key3> - 生成新的解封keyplaintext
1
vault operator rekey
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Michael Blog!
评论
未找到相关的 Issues 进行评论
请联系 @xhuaustc 初始化创建