2018年12月20日 HYAKUNA YKO

我们很高兴地宣布更多的动手指南, 以帮助您学习和集成 vault 作为您的机密管理解决方案。一些预先存在的指南也已更新。

新指南:

• 使用 GCP 云 KMS 自动解印
• 带有 AWS 的 Vault 代理
• Kubernetes 的 Vault 代理
• Vault 入门视频指南

更新的指南:

• 入门-安装Vault
• Tokens
• Cubbyhole Response Wrapping
• Versioned Key/Value Secret Engine
• Policies

使用 GCP 云 KMS 自动解印

在 vault 1.0 中, 我们开放了以前需要* vault enterprise pro* 的自动解封功能。现在, 您可以通过受信任的云提供商 (阿里云 KMS、亚马逊 KMS、Azure Key Vault 和 谷歌云 KMS) 选择自动解封。

本指南演示了一个使用 Terraform 设置 Vault 节点的示例, 该节点配置为使用GCP 云 KMS加密密钥自动取消密封。

请注意:使用 AWS KMS 指南的自动解印已更新, 以运行 Vault 1.0 OSS。

AWS 的 Vault 代理

Vault Agent 是一个客户端后台驻留程序, 它自动执行客户端登录和令牌刷新的工作流, 以管理令牌生命周期, 而无需自定义逻辑。

本指南将引导您完成使用 AWS auth 方法配置 Vault 代理所需的步骤。

Kubernetes 的 Vault 代理

KubeCon 最重要的要求之一是如何与 Kubernetes 一起使用 Vault。本指南演示如何从 Kubernetes 环境中利用 Vault 代理。

您将学习如何设置 Kubernetes auth 方法, 然后配置 Vault 代理以获取和管理在 pod 中运行的客户端的 Vault 令牌。

保管库入门-安装保管库视频

我们现有的 Vault

指南是在本地计算机上尝试 Vault 并了解核心概念的最简单方法。但我们明白, 你的时间很宝贵, 在文本旁边或代替文本观看视频往往更容易。我们创建了一个2分钟的视频, 您可以在台式机、平板电脑或移动设备上查看。

令 牌

Vault 1.0 引入了批量令牌，这些令牌支持临时、高性能的工作负载。本指南已更新, 以突出显示和比较

和

的特征.

请注意:也有提供 Katacoda 互动教程。

Cubbyhole Response Wrapping

从 Vault 1.0 开始, Web UI 支持响应包装。附加讨论: 添加了 Web ui部分, 以指导您完成通过 UI 利用响应包装的端到端示例。

政策

添加了一个列出根保护 API endpoints 的表, 以阐明哪些策略路径应包括sudo功能。

【原文】Vault Learning Resources: 1.0, Auto-unseal, Agent, Kubernetes

DEC 20 2018 YOKO HYAKUNA

We are excited to announce additional hands-on guides to help you learn and integrate Vault as your secrets management solution. Some of the pre-existing guides have also been updated.

New guides:

• Auto-unseal using GCP Cloud KMS
• Vault Agent with AWS
• Vault Agent with Kubernetes
• Vault Getting Started video guides

Updated guides:

• Getting Started - Install Vault
• Tokens
• Cubbyhole Response Wrapping
• Versioned Key/Value Secret Engine
• Policies

Auto-Unseal Using GCP Cloud KMS

In Vault 1.0 we open sourced the auto-unseal feature which previously required

. Now you can opt-in to automatic unsealing via your trusted cloud provider: AliCloud KMS, Amazon KMS, Azure Key Vault, and Google Cloud KMS.

This guide demonstrates an example of using Terraform to provision a Vault node which is configured to auto-unseal using a GCP Cloud KMS encryption key.

NOTE: The Auto-unseal using AWS KMS guide has been updated to run Vault 1.0 OSS as well.

Vault Agent With AWS

Vault Agent is a client daemon which automates the workflow of client login and token refresh to manage the token lifecycle without requiring custom logic.

This guide walks you through the steps needed to configure Vault Agent using the AWS auth method.

Vault Agent With Kubernetes

One of the top requests from KubeCon was how to use Vault with Kubernetes. This guide demonstrates how to leverage the Vault Agent from a Kubernetes environment.

You will learn how to set up the Kubernetes auth method and then configure the Vault Agent to acquire and manage Vault tokens for the clients running in a pod.

Vault Getting Started - Install Vault Video

Our existing Vault

guides are the easiest way to try Vault on your local machine and learn the core concepts. But we understand that your time is valuable and it's often easier to watch a video alongside or in place of the text. We created a 2-minute video which you can view on desktop, tablet, or mobile.

Tokens

Vault 1.0 introduced batch tokens which support ephemeral, high performance workloads. This guide has been updated to highlight and compare the characteristics of

and

.

NOTE: A Katacoda interactive tutorial is also available.

Cubbyhole Response Wrapping

As of Vault 1.0, the Web UI supports response wrapping. The Additional Discussion: Web UI section has been added to walk you through an end-to-end example of leveraging response wrapping via the UI.

Policies

A table listing the root protected API endpoints has been added to clarify which policy paths should include the sudocapability.