Skip to content
Snippets Groups Projects
Select Git revision
  • master default
  • prez
2 results
Blame Permalink
vault.md 3.64 KiB

Vault en bref!

vault

Des secrets, des apps, des tokens, des équipes, un séquestre

Vault

Vault

  • Un binaire vault qui fait
    • serveur
    • cli
$ export $VAULT_ADDR=https://10.0.0.1

Configuration

/etc/vault/vault.hcl

backend "file" {
  path = "/var/lib/vault"
}
ui = true
disable_mlock = true
listener "tcp" {
  address     = "10.0.0.1:443"
  tls_cert_file = "/etc/certs/vault.crt"
  tls_key_file  =  "/etc/certs/vault.key"
  tls_disable   = 0
}

initialisation SSS

Shamir's Secret Sharing

$ vault operator init -key-shares=3 -key-threshold=2
Unseal Key 1: 6gAO3lmAhIaHzDAdkK256g2B2Dpeqy+z4jqQCJBID3d8
Unseal Key 2: TO7DDRQXSPC3IQylPEBPjPGAGAGMzjEkjT/FL62m7UUd
Unseal Key 3: CYfEbt83jYsQFcSErHT4Y5NCsrEtfFUE6tjQZKfP632K

Initial Root Token: s.78MykQO2b5qcy03rtoNwmhr1

Vault initialized with 3 key shares and a key threshold of 2. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 2 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 2 key to
reconstruct the master key, Vault will remain permanently sealed!

Authentification

"authentification"

Authentification

par token

$ vault login token=<root-or-app-token>

equivalent à

$ export VAULT_TOKEN token=<root-or-app-token>

par ldap

$ vault login -method=ldap username=mazenovi

stocke le token dans ~/.vault-token et $VAULT_TOKEN

Policy (ACL)

path "cri/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

écriture

$ vault policy write cri `/etc/vault/cri.hcl`

application à un groupe ldap

$ vault write auth/ldap/groups/cri policies=cri

création de token à partir de la policy

$ vault token create -policy=cri

Secrets engines

"secrets engines"

workflow

$ vault secrets list
$ vault kv list cri/
$ vault kv get cri/test
$ vault kv get -format=json cri/test
$ vault kv get -format=json cri/test | jq .data
$ vault kv get -format=json cri/test | jq .data.data.root
$ vault kv put cri/test password2=$(date | sha256sum)
$ vault kv patch cri/test password1=$(date | sha256sum)
$ vault delete cri/test

avec ansible

  • lookup natif hashi_vault

    • lecture uniquement
    • pas de support natif pour kv2 à ce jour

  • module "community" hashivault

    • Reading and Writing
      • supporte kv2
    • Initialization, Seal, and Unseal
    • Policy
    • User Management

UI

"UI"

"carnets mots de passe"