Last active
July 3, 2018 14:34
-
-
Save stenio123/f1f0dd828d67d969c16a30fd24cc6cf9 to your computer and use it in GitHub Desktop.
Showing max_ttl lease precedence behavior in vault: system | mount | config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Mount database backend | |
| vault mount database | |
| # Configure MySQL connection | |
| vault write database/config/mysql \ | |
| plugin_name=mysql-legacy-database-plugin \ | |
| connection_url="vaultadmin:vaultadminpassword@tcp(127.0.0.1:3306)/" \ | |
| allowed_roles="readonly" | |
| # Create MySQL readonly role | |
| vault write database/roles/readonly \ | |
| db_name=mysql \ | |
| creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \ | |
| default_ttl="30m" \ #<------------------------------------------------------------ #Note this value!!! | |
| max_ttl="24h" #<------------------------------------------------------------ #Note this value!!! | |
| ----------------------------------------- | |
| # Read a set of credentials from the role | |
| vault read database/creds/readonly | |
| # Output: | |
| Key Value | |
| --- ----- | |
| lease_id database/creds/readonly/afc69c10-561f-e17f-6a38-017e1068ba85 | |
| lease_duration 30m0s #<------------------------------------------------------------ #Note this value!!! | |
| lease_renewable true | |
| password A1a-rsrpx2s9ssr179r9 | |
| username v-read-25vtuw15s | |
| ------------------------------------------ | |
| # Check mount max_ttl | |
| vault read sys/mounts/database/tune | |
| # Output: | |
| Key Value | |
| --- ----- | |
| default_lease_ttl 2764800 | |
| force_no_cache false | |
| max_lease_ttl 2764800 #<------------------------------------------------------------ #Note this value!!! | |
| ------------------------------------------ | |
| # Update mount max_ttl | |
| vault write sys/mounts/database/tune max_lease_ttl=30 | |
| # Check value: | |
| vault read sys/mounts/database/tune | |
| # Output: | |
| Key Value | |
| --- ----- | |
| default_lease_ttl 2764800 | |
| force_no_cache false | |
| max_lease_ttl 30 #<------------------------------------------------------------ #Note this value!!! | |
| ------------------------------------------ | |
| # Read credentials | |
| vault read database/creds/readonly | |
| # Output - see how now the lease duration is 30s, constrained by the new mount max_ttl. | |
| # Remember, the leases inside a mount cant be greater than either the mount or the system default. | |
| Key Value | |
| --- ----- | |
| lease_id database/creds/readonly/8ed12999-381e-4dac-3288-6840eeaf4f06 | |
| lease_duration 30s #<------------------------------------------------------------ #Note this value!!! | |
| lease_renewable true | |
| password A1a-q6w01tyu72uz51v1 | |
| username v-read-38u5wv14u | |
| ----------------------------------------- | |
| # Now we restore the mount's max_ttl to default 32 days: | |
| vault write sys/mounts/database/tune max_lease_ttl=2764800 | |
| # To check: | |
| vault read sys/mounts/database/tune | |
| # Output | |
| Key Value | |
| --- ----- | |
| default_lease_ttl 2764800 | |
| force_no_cache false | |
| max_lease_ttl 2764800 #<------------------------------------------------------------ #Note this value!!! | |
| _________________________________________ | |
| # Now let's change the system max_ttl, which is done in the Vault configuration file. | |
| # In order to do that, we need to first stop the process running vault: | |
| ps aux | grep vault | |
| # Output: | |
| root 5266 0.0 4.8 62364 24224 ? Sl 13:43 0:00 /usr/local/bin/vault server -dev -dev-root-token-id=password -dev-listen-address=0.0.0.0:8200 | |
| # Now we kill the process: | |
| sudo kill -9 5266 | |
| # Now edit your Vault config, reference for possible values here: https://www.vaultproject.io/docs/configuration/index.html. | |
| # For example: | |
| ------------------------------------------- | |
| vault.hcl: | |
| storage "file" { | |
| path = "/home/vagrant/data" | |
| } | |
| listener "tcp" { | |
| address = "0.0.0.0:8200" | |
| tls_disable = 1 | |
| } | |
| max_lease_ttl = "30s" | |
| # cannot have DefaultLeaseTTL larger than MaxLeaseTTL | |
| default_lease_ttl="30s" | |
| ui = true | |
| -------------------------------------------- | |
| # Start Vault normally: | |
| vault server -config=vault.hcl & | |
| vault init | |
| vault unseal ... | |
| vault auth .. | |
| # Now if we check the database tune: | |
| vault read sys/mounts/database/tune | |
| # Output | |
| Key Value | |
| --- ----- | |
| default_lease_ttl 30 | |
| force_no_cache false | |
| max_lease_ttl 30 #<------------------------------------------------------------ #Note this value!!! | |
| # And if we generate a credential: | |
| vault read database/creds/readonly | |
| # Output | |
| Key Value | |
| --- ----- | |
| lease_id database/creds/readonly/9904bbd2-d27d-cba5-bdc0-95708daea880 | |
| lease_duration 30s #<------------------------------------------------------------ #Note this value!!! | |
| lease_renewable true | |
| password A1a-ss1z6s92v168qrv9 | |
| username v-read-88rqxx3p0 | |
| # Even though in the configuration we have 30 mins. | |
| vault read database/roles/readonly | |
| # Output | |
| Key Value | |
| --- ----- | |
| creation_statements CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%'; | |
| db_name mysql | |
| default_ttl 1800 #1800 seconds = 30 mins | |
| max_ttl 86400 #<------------------------------------------------------------ #Note this value!!! | |
| renew_statements | |
| revocation_statements | |
| rollback_statements | |
| # This shows that the system max_ttl and the mount max_ttl set the maximum boundary of a configuration. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment