java-tutorials/spring-cloud/spring-cloud-vault/vault-cheatsheet.txt

== Vault server bootstrap

1. Run vaul-start in one shell

2. Open another shell and execute the command below:
> vault operator init

Vault will output the unseal keys and root token: STORE THEM SAFELY !!!

Example output:
Unseal Key 1: OfCseaSZzjTZmrxhfx+5clKobwLGCNiJdAlfixSG9E3o
Unseal Key 2: iplVLPTHW0n0WL5XuI6QWwyNtWbKTek1SoKcG0gR7vdT
Unseal Key 3: K0TleK3OYUvWFF+uIDsQuf5a+/gkv1PtZ3O47ornzRoF
Unseal Key 4: +5zhysLAO4hIdZs0kiZpkrRovw11uQacfloiBwnZBJA/
Unseal Key 5: GDwSq18lXV3Cw4MoHsKIH137kuI0mdl36UiD9WxOdulc

Initial Root Token: d341fdaf-1cf9-936a-3c38-cf5eec94b5c0

...

== Admin token setup

1. Set the VAULT_TOKEN environment variable with the root token value 
export VAULT_TOKEN=d341fdaf-1cf9-936a-3c38-cf5eec94b5c0 (Linux) 
set VAULT_TOKEN=d341fdaf-1cf9-936a-3c38-cf5eec94b5c0 (Windows)

2. Create another admin token

>vault token create -display-name=admin
Key                  Value
---                  -----
token                3779c3ca-9f5e-1d8f-3842-efa96d88de43  <=== this is the new root token
token_accessor       2dfa4031-973b-cf88-c749-ee6f520ecaea
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

3. Create ~/.vault-secret with your root token
4. Unset the VAULT_TOKEN environment variable !

=== Test DB setup (MySQL only, for now)

1. Create test db
2. Create admin account used to create dynamic accounts:

create schema fakebank;
create user 'fakebank-admin'@'%' identified by 'Sup&rSecre7!'
grant all privileges on fakebank.* to 'fakebank-admin'@'%' with grant option;
grant create user on *.* to 'fakebank-admin' with grant option;
flush privileges;


=== Database secret backend setup
> vault secrets enable database

==== Create db configuration
> vault write database/config/mysql-fakebank ^
  plugin_name=mysql-legacy-database-plugin ^
  connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/fakebank" ^
  allowed_roles="*" ^
  username="fakebank-admin" ^
  password="Sup&rSecre7!" 
  
==== Create roles
> vault write database/roles/fakebank-accounts-ro ^
    db_name=mysql-fakebank ^
    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON fakebank.* TO '{{name}}'@'%';" ^
    default_ttl="1h" ^
    max_ttl="24h"  

> vault write database/roles/fakebank-accounts-rw ^
    db_name=mysql-fakebank ^
    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON fakebank.* TO '{{name}}'@'%';" ^
    default_ttl="1m" ^
    max_ttl="2m"  
	
=== Get credentials
> vault read database/creds/fakebank-accounts-rw
[BAEL-455] Initial code 2018-08-14 23:47:53 -04:00			`== Vault server bootstrap`

			`1. Run vaul-start in one shell`

			`2. Open another shell and execute the command below:`
			`> vault operator init`

			`Vault will output the unseal keys and root token: STORE THEM SAFELY !!!`

			`Example output:`
			`Unseal Key 1: OfCseaSZzjTZmrxhfx+5clKobwLGCNiJdAlfixSG9E3o`
			`Unseal Key 2: iplVLPTHW0n0WL5XuI6QWwyNtWbKTek1SoKcG0gR7vdT`
			`Unseal Key 3: K0TleK3OYUvWFF+uIDsQuf5a+/gkv1PtZ3O47ornzRoF`
			`Unseal Key 4: +5zhysLAO4hIdZs0kiZpkrRovw11uQacfloiBwnZBJA/`
			`Unseal Key 5: GDwSq18lXV3Cw4MoHsKIH137kuI0mdl36UiD9WxOdulc`

			`Initial Root Token: d341fdaf-1cf9-936a-3c38-cf5eec94b5c0`

			`...`

			`== Admin token setup`

			`1. Set the VAULT_TOKEN environment variable with the root token value`
			`export VAULT_TOKEN=d341fdaf-1cf9-936a-3c38-cf5eec94b5c0 (Linux)`
			`set VAULT_TOKEN=d341fdaf-1cf9-936a-3c38-cf5eec94b5c0 (Windows)`

			`2. Create another admin token`

			`>vault token create -display-name=admin`
			`Key Value`
			`--- -----`
			`token 3779c3ca-9f5e-1d8f-3842-efa96d88de43 <=== this is the new root token`
			`token_accessor 2dfa4031-973b-cf88-c749-ee6f520ecaea`
			`token_duration ∞`
			`token_renewable false`
			`token_policies ["root"]`
			`identity_policies []`
			`policies ["root"]`

			`3. Create ~/.vault-secret with your root token`
			`4. Unset the VAULT_TOKEN environment variable !`

			`=== Test DB setup (MySQL only, for now)`

			`1. Create test db`
			`2. Create admin account used to create dynamic accounts:`

			`create schema fakebank;`
			`create user 'fakebank-admin'@'%' identified by 'Sup&rSecre7!'`
			`grant all privileges on fakebank.* to 'fakebank-admin'@'%' with grant option;`
			`grant create user on . to 'fakebank-admin' with grant option;`
			`flush privileges;`


			`=== Database secret backend setup`
			`> vault secrets enable database`

			`==== Create db configuration`
			`> vault write database/config/mysql-fakebank ^`
			`plugin_name=mysql-legacy-database-plugin ^`
			`connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/fakebank" ^`
			`allowed_roles="*" ^`
			`username="fakebank-admin" ^`
			`password="Sup&rSecre7!"`

			`==== Create roles`
			`> vault write database/roles/fakebank-accounts-ro ^`
			`db_name=mysql-fakebank ^`
			`creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON fakebank.* TO '{{name}}'@'%';" ^`
			`default_ttl="1h" ^`
			`max_ttl="24h"`

			`> vault write database/roles/fakebank-accounts-rw ^`
			`db_name=mysql-fakebank ^`
			`creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON fakebank.* TO '{{name}}'@'%';" ^`
			`default_ttl="1m" ^`
			`max_ttl="2m"`

			`=== Get credentials`
			`> vault read database/creds/fakebank-accounts-rw`