HashiCorp's Vault - The Examples
9 likes3,354 views
The document details the installation and configuration of HashiCorp's Vault, including steps for downloading, verifying, and installing the software, as well as setting it up for development and production environments using PostgreSQL. It outlines the process for creating PostgreSQL users through Vault, mounting the PostgreSQL backend, and generating credentials for database access. The document also includes example configurations and commands for establishing connections between Vault and PostgreSQL.
HashiCorp's Vault - The Examples
- 2. Introduction
- 5. Vault is a "simple" HTTP service
- 6. How to make secrets secure? ● encryption ● renewing ● revoking
- 7. How to make secrets secure? ● encryption ● renewing ● revoking
- 8. How to make secrets secure? ● encryption ● renewing ● revoking
- 9. How to make secrets secure? ● encryption ● renewing ● revoking
- 10. How to make secrets secure? ● encryption ● renewing ● revoking
- 11. "Install" Vault
- 12. Do you know PGP? keybase.io?
- 14. Download Vault # Download the 64bit binary curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip" # Download checksums and signature curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_SHA256SUMS" curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_SHA256SUMS.sig" # Import the hashicorp public key curl "https://keybase.io/hashicorp/pgp_keys.asc" | gpg --import Sample link: https://releases.hashicorp.com/vault/0.6.4/
- 15. Download Vault # Verify the signature file is untampered. $ gpg2 --options $project_directory/.gnupg/gpg.conf --verify "vault_${vault_version}_SHA256SUMS.sig" "vault_${vault_version}_SHA256SUMS" # Verify the SHASUM matches the binary $ cat "vault_${vault_version}_SHA256SUMS" | grep "vault_${vault_version}_linux_amd64.zip" | shasum -a 256 -c -
- 16. Download Vault # Install Vault $ unzip "vault_${vault_version}_linux_amd64.zip"
- 17. Download Vault $ ./scripts/vault version Vault v0.6.4 ('f4adc7fa960ed8e828f94bc6785bcdbae8d1b263')
- 18. Add Vault to $PATH $ export PATH=$PATH:$PWD/scripts
- 19. Boot Vault
- 21. Vault development configuration $ cat configuration/development.hcl backend "file" { path = "data" } listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } default_lease_ttl = "1h" max_lease_ttl = "2h" disable_mlock = true
- 22. Start Vault Server $ vault server -config=$PWD/configuration/development.hcl
- 23. Initialize Vault $ vault init -key-shares=1 -key-threshold=1
- 24. Unseal Vault Server $ vault unseal 4e02850adda5af588e290592d11d323fa1ce...
- 28. Docker Compose Configuration $ cat .env.db POSTGRES_USER=vault POSTGRES_PASSWORD=vault POSTGRES_DB=vault
- 29. Docker Compose Configuration $ cat docker-compose.yml --- version: '2' services: db: image: "postgres:9.5.4" hostname: db env_file: - .env.db ports: - "9191:5432"
- 30. Start PostgreSQL $ docker-compose ps Name Command State Ports ---------------------------------------------------------------------------- vault_db_1 /docker-entrypoint.sh postgres Up 0.0.0.0:9191->5432/tcp $ docker-compose up -d
- 31. Mount the PostgreSQL backend $ vault mount -path=postgresql-test -default-lease-ttl=30m -max-lease-ttl=12h Postgresql Successfully mounted 'postgresql' at 'postgresql-test'!
- 32. Verify the PostgreSQL backend $ vault mounts | head -n1 && vault mounts | grep postgresql Path Type Default TTL Max TTL Description postgresql-test/ postgresql 1800 43200
- 33. Establish connection between PostgreSQL and Vault $ source .env.db $ vault write postgresql-test/config/connection connection_url="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@0.0.0.0:9191 /${POSTGRES_DB}?sslmode=disable"
- 34. Tell Vault how to create PostgreSQL users SQL query in readable format CREATE ROLE "{{name}}" WITH LOGIN PASSWORD "{{password}}" VALID UNTIL "{{expiration}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
- 35. Tell Vault how to create PostgreSQL users $ vault write postgresql-test/roles/readonly sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";" Success! Data written to: postgresql-test/roles/readonly
- 36. Generate user with password $ vault read -format=json postgresql-test/creds/readonly | tee postgresql-user-credentials.json | jq .
- 37. { "request_id": "b02b0a7f-9ea1-34f0-59fb-b25015114f5c", "lease_id": "postgresql-test/creds/readonly/40ff9937-8e6b-41c4-26c4-67e5c2be3024", "lease_duration": 3600, "renewable": true, "data": { "password": "130a6869-9e1a-94aa-c4ce-88bd5d7cc93e", "username": "root-42e196da-4b70-47cd-cc72-01fd791cdd84" }, "warnings": null } user with password - result
- 38. Connect to PostgreSQL $ username=$(jq -r .data.username postgresql-user-credentials.json) $ password=$(jq -r .data.password postgresql-user-credentials.json)
- 39. $ docker run --rm -it --link=vault_db_1:db --net vault_default --env PGPASSWORD="${password}" --env username="${username}" --env POSTGRES_DB="${POSTGRES_DB}" postgres:9.5.4 bash > psql --host=db --username="${username}" "${POSTGRES_DB}" Connect to PostgreSQL
- 40. > SELECT datname AS database, usename AS user FROM pg_stat_activity WHERE state = 'active'; database | user ---------+------------------------------------------- vault | root-45fb7d50-c99f-dd78-f3c5-e20b9636a300 (1 row) user with password
- 41. SSH Backend
- 42. Overview