83 lines
2.6 KiB
Plaintext
83 lines
2.6 KiB
Plaintext
== Vault server bootstrap
|
|
|
|
1. Run vaul-start in one shell
|
|
|
|
2. Open another shell and execute the command below:
|
|
> vault operator init
|
|
|
|
Vault will output the unseal keys and root token: STORE THEM SAFELY !!!
|
|
|
|
Example output:
|
|
Unseal Key 1: OfCseaSZzjTZmrxhfx+5clKobwLGCNiJdAlfixSG9E3o
|
|
Unseal Key 2: iplVLPTHW0n0WL5XuI6QWwyNtWbKTek1SoKcG0gR7vdT
|
|
Unseal Key 3: K0TleK3OYUvWFF+uIDsQuf5a+/gkv1PtZ3O47ornzRoF
|
|
Unseal Key 4: +5zhysLAO4hIdZs0kiZpkrRovw11uQacfloiBwnZBJA/
|
|
Unseal Key 5: GDwSq18lXV3Cw4MoHsKIH137kuI0mdl36UiD9WxOdulc
|
|
|
|
Initial Root Token: d341fdaf-1cf9-936a-3c38-cf5eec94b5c0
|
|
|
|
...
|
|
|
|
== Admin token setup
|
|
|
|
1. Set the VAULT_TOKEN environment variable with the root token value
|
|
export VAULT_TOKEN=d341fdaf-1cf9-936a-3c38-cf5eec94b5c0 (Linux)
|
|
set VAULT_TOKEN=d341fdaf-1cf9-936a-3c38-cf5eec94b5c0 (Windows)
|
|
|
|
2. Create another admin token
|
|
|
|
>vault token create -display-name=admin
|
|
Key Value
|
|
--- -----
|
|
token 3779c3ca-9f5e-1d8f-3842-efa96d88de43 <=== this is the new root token
|
|
token_accessor 2dfa4031-973b-cf88-c749-ee6f520ecaea
|
|
token_duration ∞
|
|
token_renewable false
|
|
token_policies ["root"]
|
|
identity_policies []
|
|
policies ["root"]
|
|
|
|
3. Create ~/.vault-secret with your root token
|
|
4. Unset the VAULT_TOKEN environment variable !
|
|
|
|
=== Test DB setup (MySQL only, for now)
|
|
|
|
1. Create test db
|
|
2. Create admin account used to create dynamic accounts:
|
|
|
|
create schema fakebank;
|
|
create user 'fakebank-admin'@'%' identified by 'Sup&rSecre7!'
|
|
grant all privileges on fakebank.* to 'fakebank-admin'@'%' with grant option;
|
|
grant create user on *.* to 'fakebank-admin' with grant option;
|
|
flush privileges;
|
|
|
|
|
|
=== Database secret backend setup
|
|
> vault secrets enable database
|
|
|
|
==== Create db configuration
|
|
> vault write database/config/mysql-fakebank ^
|
|
plugin_name=mysql-legacy-database-plugin ^
|
|
connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/fakebank" ^
|
|
allowed_roles="*" ^
|
|
username="fakebank-admin" ^
|
|
password="Sup&rSecre7!"
|
|
|
|
==== Create roles
|
|
> vault write database/roles/fakebank-accounts-ro ^
|
|
db_name=mysql-fakebank ^
|
|
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON fakebank.* TO '{{name}}'@'%';" ^
|
|
default_ttl="1h" ^
|
|
max_ttl="24h"
|
|
|
|
> vault write database/roles/fakebank-accounts-rw ^
|
|
db_name=mysql-fakebank ^
|
|
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON fakebank.* TO '{{name}}'@'%';" ^
|
|
default_ttl="1m" ^
|
|
max_ttl="2m"
|
|
|
|
=== Get credentials
|
|
> vault read database/creds/fakebank-accounts-rw
|
|
|
|
|