HashiCorp Vault 入門練習

Vault, 保險庫

§ 引言

已紅了幾年的秘密保險庫機制。 好奇的試用看看。

此份文件只有入門的安裝與 CLI 操作。正式的應用可以透過 Web API 或相應的 client 函式庫。 正式的應用此文件不能滿足。

What kind of data do we store in the Vault? Secrets: Anything you want to control access to. example: API Keys, Passwords, Certificates and more.

§ 關鍵知識

HashiCorp Vault(簡稱 Vault) 在零信任安全模型中扮演著關鍵角色，它專注於身份驗證和細粒度的授權控制，這些都是零信任的核心原則。

Vault 提供四種版本：開源版(Open Source Vault)、企業版(Enterprise Vault)、HCP Vault (HashiCorp Cloud Platform Vault)、HCP Vault Secrets。

免費版功能比較經典(少)；有提供 Windows,Linux,Docker版本。 其中 Windows 版只適用開發環境。 Linux, Docker 版有開發與正式都有，不過 image 名稱可能不同安裝時需先弄清楚。

Vault 安全性的保證最終依賴的仍是憑證(非對稱式加密)與嚴謹的SOP。

部署要件

• Vault 必需部署在網域的內層網域。

• 必需支援 TLS 通訊協定。

• 必需部署成 HA (high availability) 特性。

• 其他基本的安全性要求如防火牆等等通通要有。

秘密(secrets)存取

• 也可透過 Web API 存得 secrets 當然要先拿到授權。

§ 練習環境

• windows 11 console

• HashiCort Vault 1.19.0 版

注意: Windows 版的只能用於本地開發，無法安裝成正式的對外服務。

正式可對外服務的版本只在 linux 或 docker 才支援。Orz

§ 參考資料

官網

Vault | HashiCorp DeveloperVault | HashiCorp Developer

入門練習與基本操作

---

§ Vault 資料結構

用指令查看 Vault 服務，可以看到它的資料分成四大類。

已知 『秘密』 都放在 secret/ 的秘密路徑下。

>vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_f4a704c2    per-token private secret storage
identity/     identity     identity_3977060a     identity store
secret/       kv           kv_e41b9772           key/value secret storage
sys/          system       system_8c9fff15       system endpoints used for control, policy and debugging

所有秘密都經由 Secret Path 存取。

定義大致如下: secret/<your_secret_group>/<your_secret_tareget>

例： secret/myAwesomeApp/creds

§ 環境參數

PowerShell:
> $env:VAULT_ADDR="http://127.0.0.1:8200"
cmd.exe:
> set VAULT_ADDR=http://127.0.0.1:8200
linux/docker
> export VAULT_ADDR='http://127.0.0.1:8200'
> export VAULT_TOKEN='***...***'

Unseal Key: ......
Root Token: ......

§ 常用指令(CURD) - 使用 CLI

> vault version
> vault server -help
> vault server -dev   # 開發模式。勿用在正式環境。
> vault status        # 查看服務狀態，
> vault secrets list  # 查看秘密清冊
> vault kv -help
> vault kv get -mount=secret hello
> vault kv put secret/mydata key1=value1 key2=value2
> vault kv patch secret/mydata key2=new_value2 key3=value3
> vault kv rollback -version=2 secret/mydata  # 退回第2版
> vault kv delete secret/mydata               # 刪除最後一版
> vault kv list secret         # 列出 secret 秘密清單
> vault kv list secret/mydata  # 列出 secret/mydata 秘密清單

§ 練習紀錄

開啟 console 建立開發/練習用服數

> vault version     # 查看版本
> vault server -dev # 開發模式。用於練習勿用於正式環境。
→ 建立 vault 服務 http://127.0.0.1:8200

當 Vault 服務成功建立後也有相應的網站http://127.0.0.1:8200/ui/vault/auth?with=token

開啟另一 console 練習 CRUD

> set VAULT_ADDR=http://127.0.0.1:8200  # 需設定環境參數
> vault status      # 查看服務狀態 
...進行『秘密』的 CRUD 操作...

---

紀錄練習下報指令歷程

>vault version
>set VAULT_ADDR=http://127.0.0.1:8200
>vault status
>vault secrets list
>vault kv put -mount=secret myAwesomeApp/creds dbid=admin dbpwd=foo
>vault kv get -mount=secret myAwesomeApp/creds
>vault kv get secret/myAwesomeApp/creds
>vault kv patch secret/myAwesomeApp/creds dbpwd=new_value
>vault kv get secret/myAwesomeApp/creds
>vault kv rollback -help
>vault kv rollback -version=1 secret/myAwesomeApp/creds
>vault kv get secret/myAwesomeApp/creds
>vault kv list -mount=secret
>vault kv list secret
>vault kv list secret/myAwesomeApp
>vault kv delete secret/myAwesomeApp/creds
>vault kv get secret/myAwesomeApp/creds
>vault kv get -version=1 secret/myAwesomeApp/creds
>vault kv get -version=2 secret/myAwesomeApp/creds
>vault kv rollback -version=1 secret/myAwesomeApp/creds
>vault kv get secret/myAwesomeApp/creds

紀錄練習執行歷程(排程失敗部份)

PS C:\WINDOWS\system32> cmd
>cd vault_1.19.0_windows_386

>vault version
Vault v1.19.0 (7eeafb6160d60ede73c1d95566b0c8ea54f3cb5a), built 2025-03-04T12:36:40Z

>set VAULT_ADDR=http://127.0.0.1:8200

>vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.19.0
Build Date      2025-03-04T12:36:40Z
Storage Type    inmem
Cluster Name    vault-cluster-93c90aa1
Cluster ID      046d365e-50ef-1231-7bde-2f217ed8432d
HA Enabled      false

>vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_f4a704c2    per-token private secret storage
identity/     identity     identity_3977060a     identity store
secret/       kv           kv_e41b9772           key/value secret storage
sys/          system       system_8c9fff15       system endpoints used for control, policy and debugging

>vault kv put -mount=secret myAwesomeApp/creds dbid=admin dbpwd=foo
========= Secret Path =========
secret/data/myAwesomeApp/creds

======= Metadata =======
Key                Value
---                -----
created_time       2025-03-21T02:33:30.0039067Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1


>vault kv get -mount=secret myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds
======= Metadata =======
Key                Value
---                -----
created_time       2025-03-21T02:33:30.0039067Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

==== Data ====
Key      Value
---      -----
dbid     admin
dbpwd    foo

>vault kv get secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds

======= Metadata =======
Key                Value
---                -----
created_time       2025-03-21T02:33:30.0039067Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

==== Data ====
Key      Value
---      -----
dbid     admin
dbpwd    foo

>vault kv patch secret/myAwesomeApp/creds dbpwd=new_value
========= Secret Path =========
secret/data/myAwesomeApp/creds

======= Metadata =======
Key                Value
---                -----
created_time       2025-03-21T02:37:00.2761799Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

>vault kv get secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds

======= Metadata =======
Key                Value
---                -----
created_time       2025-03-21T02:37:00.2761799Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

==== Data ====
Key      Value
---      -----
dbid     admin
dbpwd    new_value

>vault kv rollback -help

>vault kv rollback -version=1 secret/myAwesomeApp/creds
Key                Value
---                -----
created_time       2025-03-21T02:59:03.1017706Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            3

>vault kv get secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds

======= Metadata =======
Key                Value
---                -----
created_time       2025-03-21T02:59:03.1017706Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            3

==== Data ====
Key      Value
---      -----
dbid     admin
dbpwd    foo

>vault kv list -mount=secret
Keys
----
myAwesomeApp/

>vault kv list secret
Keys
----
myAwesomeApp/

>vault kv list secret/myAwesomeApp
Keys
----
creds

>vault kv delete secret/myAwesomeApp/creds
Success! Data deleted (if it existed) at: secret/data/myAwesomeApp/creds

>vault kv get secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds

======= Metadata =======
Key                Value
---                -----
created_time       2025-03-21T02:59:03.1017706Z
custom_metadata    <nil>
deletion_time      2025-03-21T03:08:54.9130538Z
destroyed          false
version            3

>vault kv get -version=1 secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds

======= Metadata =======
Key                Value
---                -----
created_time       2025-03-21T02:33:30.0039067Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

==== Data ====
Key      Value
---      -----
dbid     admin
dbpwd    foo

>vault kv get -version=2 secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds

======= Metadata =======
Key                Value
---                -----
created_time       2025-03-21T02:37:00.2761799Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

==== Data ====
Key      Value
---      -----
dbid     admin
dbpwd    new_value

>vault kv rollback -version=1 secret/myAwesomeApp/creds
Key                Value
---                -----
created_time       2025-03-21T03:11:07.5823163Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            4

>vault kv get secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds

======= Metadata =======
Key                Value
---                -----
created_time       2025-03-21T03:11:07.5823163Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            4

==== Data ====
Key      Value
---      -----
dbid     admin
dbpwd    foo

(EOF)