== Vault server bootstrap 1. Run vaul-start in one shell 2. Open another shell and execute the command below: > vault operator init Vault will output the unseal keys and root token: STORE THEM SAFELY !!! Example output: Unseal Key 1: OfCseaSZzjTZmrxhfx+5clKobwLGCNiJdAlfixSG9E3o Unseal Key 2: iplVLPTHW0n0WL5XuI6QWwyNtWbKTek1SoKcG0gR7vdT Unseal Key 3: K0TleK3OYUvWFF+uIDsQuf5a+/gkv1PtZ3O47ornzRoF Unseal Key 4: +5zhysLAO4hIdZs0kiZpkrRovw11uQacfloiBwnZBJA/ Unseal Key 5: GDwSq18lXV3Cw4MoHsKIH137kuI0mdl36UiD9WxOdulc Initial Root Token: d341fdaf-1cf9-936a-3c38-cf5eec94b5c0 ... == Admin token setup 1. Set the VAULT_TOKEN environment variable with the root token value export VAULT_TOKEN=d341fdaf-1cf9-936a-3c38-cf5eec94b5c0 (Linux) set VAULT_TOKEN=d341fdaf-1cf9-936a-3c38-cf5eec94b5c0 (Windows) 2. Create another admin token >vault token create -display-name=admin Key Value --- ----- token 3779c3ca-9f5e-1d8f-3842-efa96d88de43 <=== this is the new root token token_accessor 2dfa4031-973b-cf88-c749-ee6f520ecaea token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"] 3. Create ~/.vault-secret with your root token 4. Unset the VAULT_TOKEN environment variable ! === Test DB setup (MySQL only, for now) 1. Create test db 2. Create admin account used to create dynamic accounts: create schema fakebank; create user 'fakebank-admin'@'%' identified by 'Sup&rSecre7!' grant all privileges on fakebank.* to 'fakebank-admin'@'%' with grant option; grant create user on *.* to 'fakebank-admin' with grant option; flush privileges; === Database secret backend setup > vault secrets enable database ==== Create db configuration > vault write database/config/mysql-fakebank ^ plugin_name=mysql-legacy-database-plugin ^ connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/fakebank" ^ allowed_roles="*" ^ username="fakebank-admin" ^ password="Sup&rSecre7!" ==== Create roles > vault write database/roles/fakebank-accounts-ro ^ db_name=mysql-fakebank ^ creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON fakebank.* TO '{{name}}'@'%';" ^ default_ttl="1h" ^ max_ttl="24h" > vault write database/roles/fakebank-accounts-rw ^ db_name=mysql-fakebank ^ creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON fakebank.* TO '{{name}}'@'%';" ^ default_ttl="1m" ^ max_ttl="2m" === Get credentials > vault read database/creds/fakebank-accounts-rw