官网:
https://www.vaultproject.io/
python客户端:
https://github.com/hvac/hvac
docker镜像:
https://hub.docker.com/_/vault/
安装:
docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable":"1"}},"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h" , "ui":"true"}' -v /home/vault/logs:/vault/logs -v /home/vault/file:/vault/file -p 8200:8200 -d vault server
启动vault之后,浏览器访问http://ip:8200 ,j进行初始化,获得root token和key
Initial Root Token
cbf1579b-4981-d5ae-5b37-5235d1f158f9
Key 1
+QFq6wANH73JPcbub5T8Y7AZbib0uMMXBtV0YbmCG2M=
在界面完成vault的unseal操作或者通过vault operator unseal 。
export VAULT_ADDR='http://127.0.0.1:8200'
vault login cbf1579b-4981-d5ae-5b37-5235d1f158f9
vault kv get secret/xxxx
创建一个名称为app 的policy
启用approle , 然后可以通过approle来进行访问鉴权。
export VAULT_TOKEN=cbf1579b-4981-d5ae-5b37-5235d1f158f9
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data '{"type": "approle"}' \
http://10.21.88.225:8200/v1/sys/auth/approle
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data '{"policies": ["app"]}' \
http://10.21.88.225:8200/v1/auth/approle/role/app
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
http://10.21.88.225:8200/v1/auth/approle/role/app/role-id
"role_id":"fe5e5650-a3a3-fca3-904a-5bf0c3e9898f"
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
http://10.21.88.225:8200/v1/auth/approle/role/app/secret-id
{"secret_id":"25859baa-d345-c317-4dfc-5b8cce3e531e","secret_id_accessor":"69f4507b-8872-b9cc-f7c9-7304b5e26f66"}
curl \
--request POST \
--data '{"role_id": "fe5e5650-a3a3-fca3-904a-5bf0c3e9898f", "secret_id": "25859baa-d345-c317-4dfc-5b8cce3e531e"}' \
http://10.21.88.225:8200/v1/auth/approle/login
{"client_token":"0f7d3bc2-0f4e-896b-9da3-cd5b1d0c8a5e"
curl \
-H "X-Vault-Token: 0f7d3bc2-0f4e-896b-9da3-cd5b1d0c8a5e" \
-X GET \
http://10.21.88.225:8200/v1/secret/cmdbapi