Skip to content

Instantly share code, notes, and snippets.

@zmts

zmts/vault.md

Last active January 9, 2020 15:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save zmts/ed3c6e239c382c168612edcecba4ce62 to your computer and use it in GitHub Desktop.
Save zmts/ed3c6e239c382c168612edcecba4ce62 to your computer and use it in GitHub Desktop.
Download ZIP
Hashicorp Vault
Raw
vault.md

Hashicorp Vault

export VAULT_ADDR='http://127.0.0.1:8200'

Enable approle auth method

vault auth enable approle

Create db-pol policy via UI (http://localhost:8200/ui/vault/policies/acl)

path "kv/db" {
    capabilities = ["read"]
}

Create role depends on yours requirements:

Create alex-app role with secret and default policy attached

vault write auth/approle/role/alex-app \
    secret_id_ttl=10m \
    token_num_uses=10 \
    token_ttl=20m \
    token_max_ttl=30m \
    secret_id_num_uses=40

Or create a role named alex-app with db-pol policy attached only and WITOUT REQUIRING secret_id

vault write auth/approle/role/alex-app \
    token_policies="db-pol" \
    token_ttl=20m \
    token_max_ttl=30m \
    bind_secret_id=false\
    secret_id_bound_cidrs=127.0.0.1/24

Read alex-app role id

vault read auth/approle/role/alex-app/role-id

Read alex-app secret id

vault write -f auth/approle/role/alex-app/secret-id

Login, use the auth/approle/login endpoint by passing the role

vault write auth/approle/login role_id="038d7423-dd97-3216-8123-7d976bb227bb"

Login, use the auth/approle/login endpoint by passing the role ID and secret ID

vault write auth/approle/login role_id="038d7423-dd97-3216-8123-7d976bb227bb" \
  secret_id="81eafedf-4005-991e-3e78-4df3aa8e0824"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment