使用 Vault 管理数据库凭据和实现 AppRole 身份验证
编辑于 2024-01-18 20:17:06 阅读 1635
Vault 是一个开源工具,可以安全地存储和管理敏感数据,例如密码、API 密钥和证书。它使用强加密来保护数据,并提供多种身份验证方法来控制对数据的访问。Vault 可以部署在本地或云中,并可以通过 CLI、API 或 UI 进行管理。
本文将介绍 Vault 的初始化、数据库密钥引擎和身份验证方法。我们将首先介绍如何使用 UI、CLI 或 REST API 初始化 Vault。然后,我们将介绍如何使用 Vault 的数据库密钥引擎来管理数据库凭据。最后,我们将介绍如何使用 AppRole 身份验证方法来保护 Vault 中的数据。
初始化
{
"keys": [
"cf145f5edb6f2dfff30d30ddc0f29f44eec2dee436b8850223df36345660bfe5"
],
"keys_base64": [
"zxRfXttvLf/zDTDdwPKfRO7C3uQ2uIUCI982NFZgv+U="
],
"root_token": "hvs.PGd4sn4vh80aQIMA9R6CvOwe"
}
共有以下3种方式
UI界面的方式
访问https://vault.uqiantu.com
按照提示操作,最后保存json文件即可
CLI的方式
/ # export VAULT_ADDR='http://127.0.0.1:8200'
/ # vault operator init -key-shares=1 -key-threshold=1
Unseal Key 1: A15zzLWHW18dXEGp3fEW9qUcoOmcjjInXESlS4RAB4w=
Initial Root Token: hvs.F98rg41VGnQFrqIggEjRxXfF
解封
/ # vault operator unseal A15zzLWHW18dXEGp3fEW9qUcoOmcjjInXESlS4RAB4w=
环境变量VAULT_TOKEN和vault login二选一
/ # export VAULT_TOKEN="hvs.F98rg41VGnQFrqIggEjRxXfF"
/ # vault login <initial-root-token>
/ # vault secrets enable -path=kv2 kv
/ # vault kv put -mount=kv2 hello foo=world
REST API 的方式
https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-apis
初始化
curl \
--request POST \
--data '{"secret_shares": 1, "secret_threshold": 1}' \
http://127.0.0.1:8200/v1/sys/init | jq
解封
curl \
--request POST \
--data '{"key": "{{keys_base64}}"}' \
http://127.0.0.1:8200/v1/sys/unseal | jq
启用kv引擎
curl -X POST -H "X-Vault-Token: <root-token>" -d '{"type": "kv", "options": {"path": "kv2"}}' http://127.0.0.1:8200/v1/sys/mounts/kv2
写一条数据
curl -X POST -H "X-Vault-Token: <root-token>" -d '{"data": {"foo": "world"}}' http://127.0.0.1:8200/v1/kv2/hello
验证初始化状态
curl https://vault.uqiantu.com/v1/sys/init
数据库密钥引擎 - Mysql
支持的插件
- mysql-database-plugin
- mysql-aurora-database-plugin
- mysql-rds-database-plugin
- mysql-legacy-database-plugin
启用数据库密钥引擎
/ # export VAULT_ADDR='http://127.0.0.1:8200'
/ # export VAULT_TOKEN="hvs.4LhxBdPNxOfgrmL7kFHUBBrx"
/ # vault secrets enable database
创建连接
vault write database/config/nextcloud \
plugin_name=mysql-database-plugin \
connection_url="{{username}}:{{password}}@tcp(docker-mysql:3306)/nextcloud?charset=utf8mb4&parseTime=True&loc=Local&timeout=10ms" \
root_rotation_statements="SET PASSWORD = PASSWORD('{{password}}')" \
allowed_roles="role1,role2" \
username="nextcloud" \
password="nextcloud123"
创建静态角色
vault write database/static-roles/role1 \
db_name=nextcloud \
username="nextcloud" \
rotation_period=86400
创建动态角色
vault write database/roles/role2 \
db_name=nextcloud \
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
revocation_statements="DROP USER '{{name}}'@'%';" \
default_ttl="1h" \
max_ttl="24h"
动态角色查看密码(每次都会生成一对新的)
/ # vault read database/creds/role2
Key Value
--- -----
lease_id database/creds/role2/eOpeXLZy6aOqUehZgVKBQjsT
lease_duration 1h
lease_renewable true
password XcCWxTi-Vs9NM-uxkh33
username v-root-role2-dv19zfatqakhQ8NaPJD
静态角色的密码只能通过UI界面查看了
身份验证方法 - AppRole
https://developer.hashicorp.com/vault/docs/auth/approle
登录(获取token)
vault write auth/approle/login \
role_id=bb871d16-adcb-257b-9599-513f8610eb62 \
secret_id=37f8814f-8863-0139-48e5-01a9bd57ca0a
启用身份验证方法 - AppRole
/ # export VAULT_ADDR='http://127.0.0.1:8200'
/ # export VAULT_TOKEN="hvs.4LhxBdPNxOfgrmL7kFHUBBrx"
/ # vault auth enable approle
创建角色
vault write auth/approle/role/my-role \
policies=my-role \
secret_id_ttl=10m \
token_num_uses=0 \
token_ttl=20m \
token_max_ttl=30m \
secret_id_num_uses=0
创建策略
vault policy write my-role - <<EOF
path "secret/config" {
capabilities = ["read"]
}
path "auth/*" {
capabilities = ["create", "list", "read", "update"]
}
path "identity/*" {
capabilities = ["create", "list", "read", "update"]
}
path "sys/mounts/*" {
capabilities = ["create", "list", "read", "update"]
}
path "kv/*" {
capabilities = ["create", "list", "read", "update"]
}
EOF
获取role-id
vault read auth/approle/role/my-role/role-id
获取secret-id
vault write -f auth/approle/role/my-role/secret-id
注意:Secret ID是一个需要被保护的值
(https://learn.hashicorp.com/tutorials/vault/secure-introduction?in=vault/app-integration#trusted-orchestrator)
// give the app access to a short-lived response-wrapping token (https://developer.hashicorp.com/vault/docs/concepts/response-wrapping).
// Read more at: https://learn.hashicorp.com/tutorials/vault/approle-best-practices?in=vault/auth-methods#secretid-delivery-best-practices