1 vault开启

vault server -dev(开发者模式)

vault server -config=config.hcl(生产环境启动方式)

其中config.hcl内容如下，本地安装配置mysql数据库，ui=true可以访问ui界面

disable_mlock  = true

ui=true

storage "mysql" {

address = "127.0.0.1:3306"

username = "root"

password = "123456"

database = "vault"

table = "vault"

}

listener "tcp" {

address     = "127.0.0.1:8200"

tls_disable = 1

}

2 vault_addr设置

另外启动一个控制台界面

windows环境：set  VAULT_ADDR=http://127.0.0.1:8200

linux环境：export VAULT_ADDR=http://127.0.0.1:8200

3 vault初始化

vault operator init或者vault operator init -key-shares=5 -key-threshold=3

说明：

-key-shares：指定秘钥的总股数，

-key-threshold：指定需要几股可解锁

以上参数为默认，可不设置。

得到五个key(key1到key5)，后续解封用

vault operator unseal key1

vault operator unseal key2

vault operator unseal key3

vault status查看状态，sealed为false表示解封了

Key             Value

---             -----

Seal Type       shamir

Initialized     true

Sealed          false

Total Shares    5

Threshold       3

Version         1.2.3

Cluster Name    vault-cluster-181def04

Cluster ID      32b31c01-4c2e-bfcf-e44c-0abc862d6156

HA Enabled      false

4 用产生的token登陆

vault login XXX

5 数据库使用

vault secrets enable database

6 transit使用(在path=encryption)启动transit，不写-path=encryption则默认在transit路径下

vault secrets enable -path=encryption transit

7 写入数据库连接配置

vault write database/config/my-mysql-database \

plugin_name=mysql-database-plugin \

connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \

allowed_roles="my-role" \

username="root" \

password="123456"

8 设置动态密钥策略

vault write database/roles/my-role \

db_name=my-mysql-database \

creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON *.* TO '{{name}}'@'%';" \

default_ttl="1h" \

max_ttl="24h"

9配置文件，直接编写vault policy write my-policy my-policy.hcl没有成功，通过以下命令实现

vault policy write my-policy -<

# Normal servers have version 1 of KV mounted by default, so will need these

# paths:

path "secret/*" {

capabilities = ["create"]

}

path "secret/foo" {

capabilities = ["read"]

}

# Dev servers have version 2 of KV mounted by default, so will need these

# paths:

path "secret/data/*" {

capabilities = ["create"]

}

path "secret/data/foo" {

capabilities = ["read"]

}

EOF

vault 设置静态role

0 在mysql中建立一个角色vault-edu

1 设置运行连接数据库 vault secrets enable database

2 设置数据库连接

vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="{{username}}:{{password}}@tcp(30.16.104.43:3306)/" allowed_roles="*" username="root" password="123456"

3建立静态角色education

vault write database/static-roles/education db_name=my-mysql-database rotation_statements=@rotation.sql username="vault-edu" rotation_period=86400

rotation.sql具体内容如下：

ALTER USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';

4 读取education信息

vault read database/static-roles/education

5 新建一个策略app,并且写入vault策略中，分配对应的token

vault policy write app app.hcl

vault token create -policy="app"

6 用分配的token登录，查看对应的角色信息

VAULT_TOKEN=s.NN5Izfj9ok3VuZiaP9N9QJ1V vault read database/static-creds/education