Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Consul + Vault + MySQL = <3
{
"http_api_response_headers": {
"Access-Control-Allow-Origin": "*"
},
"client_addr": "0.0.0.0",
"datacenter": "dc1",
"acl_datacenter": "dc1",
"data_dir": "/data",
"server": true,
"bootstrap": true,
"ui_dir": "/ui"
}
vault:
image: voxxit/vault:latest
volumes:
- ./vault.hcl:/etc/vault.hcl
links:
- "consul:consul"
- "mysql:mysql"
ports:
- 8200:8200
command: "server -config=/etc/vault.hcl"
mysql:
image: mysql:latest
environment:
- "MYSQL_ROOT_PASSWORD=secret"
consul:
image: voxxit/consul:latest
ports:
- 80:8500
volumes:
- ./consul.json:/etc/consul.json
command: "agent -config-file=/etc/consul.json"
git clone https://gist.github.com/dd6f95398c1bdc9f1038.git vault
cd vault
docker-compose up -d
export VAULT_ADDR=http://192.168.99.100:8200

Initializing a vault:

vault init
vault unseal <secret 1>
vault unseal <secret 2>
vault unseal <secret 3>

Authorizing using the root token:

vault auth <root token>

Dynamic AWS Credentials

https://www.vaultproject.io/docs/secrets/aws/index.html

$ vault mount aws
Successfully mounted 'aws' at 'aws'!

$ vault write aws/config/root \
    access_key=<aws_access_key_id> \
    secret_key=<aws_secret_access_key> \
    region=us-east-1

# use http://awspolicygen.s3.amazonaws.com/policygen.html to generate policies
# here is an example one which provides full access to <bucket name>:
vault write aws/roles/s3 name=s3 policy=- <<EOF
{
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : [
        "s3:ListAllMyBuckets"
      ],
      "Resource" : "arn:aws:s3:::*"
    }, {
      "Effect" : "Allow",
      "Action" : [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource" : "arn:aws:s3:::<bucket name>"
    }, {
      "Effect" : "Allow",
      "Action" : [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource":"arn:aws:s3:::<bucket name>/*"
    }
  ]
}
EOF

$ vault read aws/creds/s3
Key             Value
lease_id        aws/creds/s3/7cb8df71-782f-3de1-79dd-251778e49f58
lease_duration  3600
access_key      AKIAIOMYUTSLGJOGLHTQ
secret_key      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

Dynamic MySQL Usernames/Passwords

https://www.vaultproject.io/docs/secrets/mysql/index.html

$ vault mount mysql
Successfully mounted 'mysql' at 'mysql'!

$ vault write mysql/config/connection value="root:secret@tcp(mysql:3306)/"
Success! Data written to: mysql/config/connection

$ vault write mysql/config/lease lease=1h lease_max=24h
Success! Data written to: mysql/config/lease

$ vault write mysql/roles/readonly sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%';"
Success! Data written to: mysql/roles/readonly

$ vault read mysql/creds/readonly
Key             Value
lease_id        mysql/creds/readonly/bd404e98-0f35-b378-269a-b7770ef01897
lease_duration  3600
password        132ae3ef-5a64-7499-351e-bfe59f3a2a21
username        root-aefa635a-18
backend "consul" {
address = "consul:8500"
advertise_addr = "consul:8300"
scheme = "http"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
disable_mlock = true
@hyzhak

This comment has been minimized.

Copy link

@hyzhak hyzhak commented Oct 4, 2015

got error:

$ docker-compose up
Starting server_vault_1...
Attaching to server_vault_1
vault_1 | panic: runtime error: invalid memory address or nil pointer dereference
vault_1 | [signal 0xb code=0x1 addr=0x0 pc=0x4bd6a2]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment