Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@dtest

dtest/docker-compose.yml

Last active June 4, 2016 18:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save dtest/711231396be8b47940e3 to your computer and use it in GitHub Desktop.
Save dtest/711231396be8b47940e3 to your computer and use it in GitHub Desktop.
Download ZIP
Vault
Raw
docker-compose.yml
vault:
container_name: vault
image: dtestops/vault
volumes:
- ./vault.hcl:/etc/vault.hcl
links:
- "mysql:mysql"
ports:
- "8200:8200"
command: "server -config=/etc/vault.hcl"
environment:
- VAULT_ADDR=http://127.0.0.1:8200
mysql:
container_name: mysql
image: mysql:5.7
environment:
- "MYSQL_ROOT_PASSWORD=secret"
Raw
initiate-vault.out
$ source scripts/initiate_vault.sh
Sealed: false
Key Shares: 1
Key Threshold: 1
Unseal Progress: 0
$ echo $VAULT_TOKEN
8f357777-0b58-87ed-d54f-a56bb2d6f6ba
Raw
initiate-vault.sh
# start vault
docker-compose up -d
# initiate vault
source ./scripts/initiate-vault.sh
Raw
mount-mysql.out
$ vault auth $VAULT_TOKEN
Successfully authenticated!
token: 8f357777-0b58-87ed-d54f-a56bb2d6f6ba
token_duration: 0
token_policies: [root]
$ vault mount mysql
Successfully mounted 'mysql' at 'mysql'!
$ vault mounts
Path Type Default TTL Max TTL Description
cubbyhole/ cubbyhole n/a n/a per-token private secret storage
mysql/ mysql system system
secret/ generic system system generic secret storage
sys/ system n/a n/a system endpoints used for control, policy and debugging
$ vault write mysql/config/connection \
> value="root:secret@tcp(mysql:3306)/"
Success! Data written to: mysql/config/connection
$ vault write mysql/config/lease \
> lease=10m \
> lease_max=1h
Success! Data written to: mysql/config/lease
$ vault write mysql/roles/readonly \
> sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"
Success! Data written to: mysql/roles/readonly
Raw
mount-mysql.sh
# Authenticate using root token
vault auth $VAULT_TOKEN
# Mount the MySQL secret
vault mount mysql
# Create the mysql connection string
vault write mysql/config/connection \
value="root:secret@tcp(mysql:3306)/"
# Set the lease properties
vault write mysql/config/lease \
lease=10m \
lease_max=1h
# Create a readonly role
vault write mysql/roles/readonly \
sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"
Raw
mysql-connection.out
$ vault read mysql/creds/readonly
Key Value
lease_id mysql/creds/readonly/5b31f548-f196-ee63-cea7-64f0a1c56e6b
lease_duration 600
lease_renewable true
password 88eea4fd-b844-e4ae-5dbb-373bf4760475
username root-7d061d03-42
# Connect to MySQL
docker exec -it mysql mysql -u${generated_user} -p${generated_password}
mysql> SELECT User();
+----------------------------+
| User() |
+----------------------------+
| root-7d061d03-42@localhost |
+----------------------------+
1 row in set (0.00 sec)
mysql> SHOW GRANTS;
+-----------------------------------------------+
| Grants for root-7d061d03-42@% |
+-----------------------------------------------+
| GRANT SELECT ON *.* TO 'root-7d061d03-42'@'%' |
+-----------------------------------------------+
1 row in set (0.00 sec)
mysql> SELECT User, Host FROM mysql.user;
+------------------+------+
| User | Host |
+------------------+------+
| root | % |
| root-7d061d03-42 | % |
+------------------+------+
2 rows in set (0.01 sec)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment