使用Vault管理服务器各种密码

楚天乐 2245 2 条

vault简介

安装

在centos上安装

$ sudo yum install -y yum-utils
$ sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
$ sudo yum -y install vault

在ubuntu上安装

$ sudo apt update && sudo apt install gpg
$ wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg >/dev/null
$ gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
$ echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault

mac上安装

$ brew tap hashicorp/tap
$ brew install hashicorp/tap/vault
$ brew upgrade hashicorp/tap/vault # 升级

windows上安装

choco install vault

测试环境启动vault服务

这种用法仅限于测试环境,生产环境后面我们在说

开发模式启动

$ vault server -dev 
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variables:

    $ export VAULT_ADDR='http://127.0.0.1:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: 910jSSp6agJyY0RNm2QnamUtv3IZNcdJp0DejDE3OvI= 
Root Token: hvs.Wlq6tyxrx2kS5IQSJI1F7b1l                       !!!!!重要重要重要!!!!!

Development mode should NOT be used in production installations!

$ export VAULT_ADDR='http://127.0.0.1:8200'          # 把vault服务地址写入环境变量
$ export VAULT_TOKEN='hvs.Wlq6tyxrx2kS5IQSJI1F7b1l'  # 把root token写入环境变量

可以开始测试vault了

这里我们先使用简单的kv引擎,kv存储引擎会以明文方式把信息放在内存里。vault还支持其他的secrets engine,后面再说。

写入信息

$ vault kv put -mount=secret hello foo=world # 向hello写入一个kv foo=world
== Secret Path ==
secret/data/hello

======= Metadata =======
Key                Value
---                -----
created_time       2023-01-04T05:39:57.252132156Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

$ vault kv put -mount=secret hello foo=world excited=yes # 一次写入多个
== Secret Path ==
secret/data/hello

======= Metadata =======
Key                Value
---                -----
created_time       2023-01-04T05:47:08.162563361Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

读取信息

$ vault kv get -mount=secret hello # 读取
== Secret Path ==
secret/data/hello

======= Metadata =======
Key                Value
---                -----
created_time       2023-01-04T05:47:08.162563361Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

===== Data =====
Key        Value
---        -----
excited    yes
foo        world

$ vault kv get -mount=secret -field=excited hello # 读取excited
yes

$ vault kv get -mount=secret -field=foo hello # 读取foo
world

删除信息

$ vault kv delete -mount=secret hello # 删除
Success! Data deleted (if it existed) at: secret/data/hello

恢复删除的信息

$ vault kv undelete -mount=secret -versions=2 hello # 恢复删除的数据
Success! Data written to: secret/undelete/hello

$ vault kv get -mount=secret hello #读取
== Secret Path ==
secret/data/hello

======= Metadata =======
Key                Value
---                -----
created_time       2023-01-04T05:47:08.162563361Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

===== Data =====
Key        Value
---        -----
excited    yes
foo        world

secrets存储引擎

启用secrets engine

$ vault secrets enable -path=kv kv
Success! Enabled the kv secrets engine at: kv/

查看secrets engine

$ vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_4a6f3187    per-token private secret storage
identity/     identity     identity_b7f7c47e     identity store
kv/           kv           kv_886c0760           n/a
secret/       kv           kv_90394201           key/value secret storage
sys/          system       system_1b527783       system endpoints used for control, policy and debugging

写入信息

$ vault kv put kv/hello target=world
Success! Data written to: kv/hello

$ vault kv put kv/my-secret value="s3c(eT"
Success! Data written to: kv/hello

读取

$ vault kv get kv/my-secret
==== Data ====
Key      Value
---      -----
value    s3c(eT

删除

$ vault kv delete kv/my-secret
Success! Data deleted (if it existed) at: kv/my-secret

关闭secret engine

$ vault secrets disable kv/
Success! Disabled the secrets engine (if it existed) at: kv/

dynamic secrets

可以使用aws存储密码信息,vault远程读取。需要了解请参考官方文档。https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets

安全认证

这里主要有两种认证方式

  • token认证
  • github credentials认证

本文只关注token认证方式,需要了解github credential方式的,参考官方文档。https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-authentication

token认证方式默认出狱开启状态,dev模式启动vault时候,他会显示root token信息。vault命令行会从环境变量$VAULT_TOKEN中读取root token完成授权。因此,需要设置环境变量

$ export VAULT_TOKEN='hvs.Wlq6tyxrx2kS5IQSJI1F7b1l'  # 把root token写入环境变量

创建新的token

$ vault token create
Key                  Value
---                  -----
token                hvs.AH1OvBNx2EG76sp3OiIJq43Z
token_accessor       Rf4yUJ16Q8nEUuTJsS7Z4zXQ
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

使用新token登录

$ unset VAULT_TOKEN # 注销掉之前的root token

$ vault login
Token (will be hidden): #此处输入上面的tokenhvs.AH1OvBNx2EG76sp3OiIJq43Z
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.AH1OvBNx2EG76sp3OiIJq43Z
token_accessor       Rf4yUJ16Q8nEUuTJsS7Z4zXQ
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

注销token

$ vault token revoke hvs.AH1OvBNx2EG76sp3OiIJq43Z
Success! Revoked token (if it existed)

生产环境部署vault

先取消VAULT_TOKEN

$ unset VAULT_TOKEN

vault配置文件config.hcl,内容

storage "raft" {
  path    = "./vault/data"
  node_id = "node1"
}

listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = "true"
}

api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
ui = true

配置文件解释

  • storage:指定vault存储的物理后端。dev模式服务使用inmem后端,这里我们使用raft后端,更佳适用于生产环境
  • listener:监听地址,用于处理api请求。这里使用http://127.0.0.1:8200,我们只要设置环境变量VAULT_ADDR=http://127.0.0.1:8200,vault客户端就可以连接了
  • api_addr:指定处理客户请求的地址
  • cluster_addr:指定vault node之间通信的地址和端口

启动服务

$ mkdir -p ./vault/data # 创建数据目录
$ vault server -config=config.hcl

打赏

微信打赏

支付宝打赏



与本文相关的文章

网友最新评论( 2 )

尊敬的独立博客作者您好,您的博客已经被收录在博客乌托邦,博客乌托邦是一个中文独立博客文章聚合搜索平台,如有疑问可前往https://utopiablog.cn 留言,祝您新春愉快!

January 19th, 2023
any

光复香港,时代革命

August 10th, 2023
发表我的评论
昵称 (必填)
邮箱 (必填)
网址
执行时间: 1718256862815 毫秒