使用 Vault 管理数据库凭据和实现 AppRole 身份验证

编辑于 2024-01-18 20:17:06 阅读 1635

Vault 是一个开源工具,可以安全地存储和管理敏感数据,例如密码、API 密钥和证书。它使用强加密来保护数据,并提供多种身份验证方法来控制对数据的访问。Vault 可以部署在本地或云中,并可以通过 CLI、API 或 UI 进行管理。

本文将介绍 Vault 的初始化、数据库密钥引擎和身份验证方法。我们将首先介绍如何使用 UI、CLI 或 REST API 初始化 Vault。然后,我们将介绍如何使用 Vault 的数据库密钥引擎来管理数据库凭据。最后,我们将介绍如何使用 AppRole 身份验证方法来保护 Vault 中的数据。

初始化

{
  "keys": [
    "cf145f5edb6f2dfff30d30ddc0f29f44eec2dee436b8850223df36345660bfe5"
  ],
  "keys_base64": [
    "zxRfXttvLf/zDTDdwPKfRO7C3uQ2uIUCI982NFZgv+U="
  ],
  "root_token": "hvs.PGd4sn4vh80aQIMA9R6CvOwe"
}

共有以下3种方式

UI界面的方式

访问https://vault.uqiantu.com按照提示操作,最后保存json文件即可

CLI的方式

/ # export VAULT_ADDR='http://127.0.0.1:8200'
/ # vault operator init -key-shares=1 -key-threshold=1
Unseal Key 1: A15zzLWHW18dXEGp3fEW9qUcoOmcjjInXESlS4RAB4w=

Initial Root Token: hvs.F98rg41VGnQFrqIggEjRxXfF

解封
/ # vault operator unseal A15zzLWHW18dXEGp3fEW9qUcoOmcjjInXESlS4RAB4w=

环境变量VAULT_TOKEN和vault login二选一
/ # export VAULT_TOKEN="hvs.F98rg41VGnQFrqIggEjRxXfF"
/ # vault login <initial-root-token>

/ # vault secrets enable -path=kv2 kv
/ # vault kv put -mount=kv2 hello foo=world

REST API 的方式

https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-apis

初始化

curl \
    --request POST \
    --data '{"secret_shares": 1, "secret_threshold": 1}' \
    http://127.0.0.1:8200/v1/sys/init | jq

解封

curl \
    --request POST \
    --data '{"key": "{{keys_base64}}"}' \
    http://127.0.0.1:8200/v1/sys/unseal | jq

启用kv引擎

curl -X POST -H "X-Vault-Token: <root-token>" -d '{"type": "kv", "options": {"path": "kv2"}}' http://127.0.0.1:8200/v1/sys/mounts/kv2

写一条数据

curl -X POST -H "X-Vault-Token: <root-token>" -d '{"data": {"foo": "world"}}' http://127.0.0.1:8200/v1/kv2/hello

验证初始化状态

curl https://vault.uqiantu.com/v1/sys/init

数据库密钥引擎 - Mysql

https://developer.hashicorp.com/vault/docs/secrets/databases/mysql-maria#authenticating-to-cloud-dbs-via-iam

支持的插件

  • mysql-database-plugin
  • mysql-aurora-database-plugin
  • mysql-rds-database-plugin
  • mysql-legacy-database-plugin

启用数据库密钥引擎

/ # export VAULT_ADDR='http://127.0.0.1:8200'
/ # export VAULT_TOKEN="hvs.4LhxBdPNxOfgrmL7kFHUBBrx"
/ # vault secrets enable database

创建连接

vault write database/config/nextcloud \
    plugin_name=mysql-database-plugin \
    connection_url="{{username}}:{{password}}@tcp(docker-mysql:3306)/nextcloud?charset=utf8mb4&parseTime=True&loc=Local&timeout=10ms" \
    root_rotation_statements="SET PASSWORD = PASSWORD('{{password}}')" \
    allowed_roles="role1,role2" \
    username="nextcloud" \
    password="nextcloud123"

创建静态角色

vault write database/static-roles/role1 \
    db_name=nextcloud \
    username="nextcloud" \
    rotation_period=86400

创建动态角色

vault write database/roles/role2 \
   db_name=nextcloud \
   creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
   revocation_statements="DROP USER '{{name}}'@'%';" \
   default_ttl="1h" \
   max_ttl="24h"

动态角色查看密码(每次都会生成一对新的)

/ # vault read database/creds/role2
Key                Value
---                -----
lease_id           database/creds/role2/eOpeXLZy6aOqUehZgVKBQjsT
lease_duration     1h
lease_renewable    true
password           XcCWxTi-Vs9NM-uxkh33
username           v-root-role2-dv19zfatqakhQ8NaPJD

静态角色的密码只能通过UI界面查看了

身份验证方法 - AppRole

https://developer.hashicorp.com/vault/docs/auth/approle

登录(获取token)

vault write auth/approle/login \
  role_id=bb871d16-adcb-257b-9599-513f8610eb62 \
  secret_id=37f8814f-8863-0139-48e5-01a9bd57ca0a

启用身份验证方法 - AppRole

/ # export VAULT_ADDR='http://127.0.0.1:8200'
/ # export VAULT_TOKEN="hvs.4LhxBdPNxOfgrmL7kFHUBBrx"
/ # vault auth enable approle

创建角色

vault write auth/approle/role/my-role \
    policies=my-role \
    secret_id_ttl=10m \
    token_num_uses=0 \
    token_ttl=20m \
    token_max_ttl=30m \
    secret_id_num_uses=0

创建策略

vault policy write my-role - <<EOF
path "secret/config" {
    capabilities = ["read"]
}

path "auth/*" {
    capabilities = ["create", "list", "read", "update"]
}
path "identity/*" {
    capabilities = ["create", "list", "read", "update"]
}

path "sys/mounts/*" {
    capabilities = ["create", "list", "read", "update"]
}

path "kv/*" {
    capabilities = ["create", "list", "read", "update"]
}
EOF

获取role-id

vault read auth/approle/role/my-role/role-id

获取secret-id

vault write -f auth/approle/role/my-role/secret-id

注意:Secret ID是一个需要被保护的值

(https://learn.hashicorp.com/tutorials/vault/secure-introduction?in=vault/app-integration#trusted-orchestrator)
// give the app access to a short-lived response-wrapping token (https://developer.hashicorp.com/vault/docs/concepts/response-wrapping).
// Read more at: https://learn.hashicorp.com/tutorials/vault/approle-best-practices?in=vault/auth-methods#secretid-delivery-best-practices

广而告之,我的新作品《语音助手》上架Google Play了,欢迎下载体验