dghadge

$ vault token-create -policy="mysql-readonly"

dghadge

--------Start : src/main/resources/bootstrap.properties --------------------

spring.cloud.vault.ssl.trust-store=file:certificates/keystore.jks

spring.cloud.vault.token=7116175f-02bd-1216-3d9f-7362db6be6cc

spring.cloud.vault.mysql.enabled=true

spring.cloud.vault.mysql.role=readonly

dghadge

$ mysql -uroot -e “CREATE USER ‘vaultadmin’ IDENTIFIED by ‘vaultpass’;” -p
$ mysql -uroot -e “GRANT ALL PRIVILEGES ON *.* TO ‘vaultadmin’@’%’ WITH GRANT OPTION;” -p;

dghadge

$ vault mount database

$ vault write database/config/mysql plugin_name=mysql-database-plugin \
          connection_url="vaultadmin:vaultpass@tcp(127.0.0.1:3306)/"
$ vault write database/roles/readonly sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%';"

$ vault policy-write mysql-readonly mysql-policy.conf
 --------Start : mysql-policy.conf --------------------
          path "sys/*" {
          policy = "deny"

dghadge

1. Start Consul server. It is used by Vault for persisting secrets.
   $ consul agent -server -bootstrap-expect 1 -data-dir /tmp/consul -bind 127.0.0.1

2. Start Vault
   $ vault server -config=vault.conf
   $ cat vault.conf        
    --------Start : vault.conf --------------------
    backend "consul" {
      address = "127.0.0.1:8500"
      path = "vault"