HashiCorp Vault 入門練習
Vault, 保險庫
§ 引言
已紅了幾年的秘密保險庫機制。 好奇的試用看看。
此份文件只有入門的安裝與 CLI 操作。正式的應用可以透過 Web API 或相應的 client 函式庫。 正式的應用此文件不能滿足。
What kind of data do we store in the Vault? Secrets: Anything you want to control access to. example: API Keys, Passwords, Certificates and more.
§ 關鍵知識
HashiCorp Vault(簡稱 Vault) 在零信任安全模型中扮演著關鍵角色,它專注於身份驗證和細粒度的授權控制,這些都是零信任的核心原則。
Vault 提供四種版本:開源版(Open Source Vault)、企業版(Enterprise Vault)、HCP Vault (HashiCorp Cloud Platform Vault)、HCP Vault Secrets。
免費版功能比較經典(少);有提供 Windows,Linux,Docker版本。 其中 Windows 版只適用開發環境。 Linux, Docker 版有開發與正式都有,不過 image 名稱可能不同安裝時需先弄清楚。
Vault 安全性的保證最終依賴的仍是憑證(非對稱式加密)與嚴謹的SOP。
部署要件
Vault 必需部署在網域的內層網域。
必需支援 TLS 通訊協定。
必需部署成 HA (high availability) 特性。
其他基本的安全性要求如防火牆等等通通要有。
秘密(secrets)存取
也可透過 Web API 存得 secrets 當然要先拿到授權。
§ 練習環境
windows 11 console
HashiCort Vault 1.19.0 版
注意: Windows 版的只能用於本地開發,無法安裝成正式的對外服務。
正式可對外服務的版本只在 linux 或 docker 才支援。Orz
§ 參考資料
官網
入門練習與基本操作
§ Vault 資料結構
用指令查看 Vault 服務,可以看到它的資料分成四大類。
已知 『秘密』 都放在 secret/ 的秘密路徑下。
>vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_f4a704c2 per-token private secret storage
identity/ identity identity_3977060a identity store
secret/ kv kv_e41b9772 key/value secret storage
sys/ system system_8c9fff15 system endpoints used for control, policy and debugging所有秘密都經由 Secret Path 存取。
定義大致如下: secret/<your_secret_group>/<your_secret_tareget>
例:
secret/myAwesomeApp/creds
§ 環境參數
PowerShell:
> $env:VAULT_ADDR="http://127.0.0.1:8200"
cmd.exe:
> set VAULT_ADDR=http://127.0.0.1:8200
linux/docker
> export VAULT_ADDR='http://127.0.0.1:8200'
> export VAULT_TOKEN='***...***'
Unseal Key: ......
Root Token: ......§ 常用指令(CURD) - 使用 CLI
> vault version
> vault server -help
> vault server -dev # 開發模式。勿用在正式環境。
> vault status # 查看服務狀態,
> vault secrets list # 查看秘密清冊
> vault kv -help
> vault kv get -mount=secret hello
> vault kv put secret/mydata key1=value1 key2=value2
> vault kv patch secret/mydata key2=new_value2 key3=value3
> vault kv rollback -version=2 secret/mydata # 退回第2版
> vault kv delete secret/mydata # 刪除最後一版
> vault kv list secret # 列出 secret 秘密清單
> vault kv list secret/mydata # 列出 secret/mydata 秘密清單§ 練習紀錄
開啟 console 建立開發/練習用服數
> vault version # 查看版本
> vault server -dev # 開發模式。用於練習勿用於正式環境。
→ 建立 vault 服務 http://127.0.0.1:8200當 Vault 服務成功建立後也有相應的網站http://127.0.0.1:8200/ui/vault/auth?with=token
開啟另一 console 練習 CRUD
> set VAULT_ADDR=http://127.0.0.1:8200 # 需設定環境參數
> vault status # 查看服務狀態
...進行『秘密』的 CRUD 操作...紀錄練習下報指令歷程
>vault version
>set VAULT_ADDR=http://127.0.0.1:8200
>vault status
>vault secrets list
>vault kv put -mount=secret myAwesomeApp/creds dbid=admin dbpwd=foo
>vault kv get -mount=secret myAwesomeApp/creds
>vault kv get secret/myAwesomeApp/creds
>vault kv patch secret/myAwesomeApp/creds dbpwd=new_value
>vault kv get secret/myAwesomeApp/creds
>vault kv rollback -help
>vault kv rollback -version=1 secret/myAwesomeApp/creds
>vault kv get secret/myAwesomeApp/creds
>vault kv list -mount=secret
>vault kv list secret
>vault kv list secret/myAwesomeApp
>vault kv delete secret/myAwesomeApp/creds
>vault kv get secret/myAwesomeApp/creds
>vault kv get -version=1 secret/myAwesomeApp/creds
>vault kv get -version=2 secret/myAwesomeApp/creds
>vault kv rollback -version=1 secret/myAwesomeApp/creds
>vault kv get secret/myAwesomeApp/creds紀錄練習執行歷程(排程失敗部份)
PS C:\WINDOWS\system32> cmd
>cd vault_1.19.0_windows_386
>vault version
Vault v1.19.0 (7eeafb6160d60ede73c1d95566b0c8ea54f3cb5a), built 2025-03-04T12:36:40Z
>set VAULT_ADDR=http://127.0.0.1:8200
>vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.19.0
Build Date 2025-03-04T12:36:40Z
Storage Type inmem
Cluster Name vault-cluster-93c90aa1
Cluster ID 046d365e-50ef-1231-7bde-2f217ed8432d
HA Enabled false
>vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_f4a704c2 per-token private secret storage
identity/ identity identity_3977060a identity store
secret/ kv kv_e41b9772 key/value secret storage
sys/ system system_8c9fff15 system endpoints used for control, policy and debugging
>vault kv put -mount=secret myAwesomeApp/creds dbid=admin dbpwd=foo
========= Secret Path =========
secret/data/myAwesomeApp/creds
======= Metadata =======
Key Value
--- -----
created_time 2025-03-21T02:33:30.0039067Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
>vault kv get -mount=secret myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds
======= Metadata =======
Key Value
--- -----
created_time 2025-03-21T02:33:30.0039067Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
==== Data ====
Key Value
--- -----
dbid admin
dbpwd foo
>vault kv get secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds
======= Metadata =======
Key Value
--- -----
created_time 2025-03-21T02:33:30.0039067Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
==== Data ====
Key Value
--- -----
dbid admin
dbpwd foo
>vault kv patch secret/myAwesomeApp/creds dbpwd=new_value
========= Secret Path =========
secret/data/myAwesomeApp/creds
======= Metadata =======
Key Value
--- -----
created_time 2025-03-21T02:37:00.2761799Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 2
>vault kv get secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds
======= Metadata =======
Key Value
--- -----
created_time 2025-03-21T02:37:00.2761799Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 2
==== Data ====
Key Value
--- -----
dbid admin
dbpwd new_value
>vault kv rollback -help
>vault kv rollback -version=1 secret/myAwesomeApp/creds
Key Value
--- -----
created_time 2025-03-21T02:59:03.1017706Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 3
>vault kv get secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds
======= Metadata =======
Key Value
--- -----
created_time 2025-03-21T02:59:03.1017706Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 3
==== Data ====
Key Value
--- -----
dbid admin
dbpwd foo
>vault kv list -mount=secret
Keys
----
myAwesomeApp/
>vault kv list secret
Keys
----
myAwesomeApp/
>vault kv list secret/myAwesomeApp
Keys
----
creds
>vault kv delete secret/myAwesomeApp/creds
Success! Data deleted (if it existed) at: secret/data/myAwesomeApp/creds
>vault kv get secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds
======= Metadata =======
Key Value
--- -----
created_time 2025-03-21T02:59:03.1017706Z
custom_metadata <nil>
deletion_time 2025-03-21T03:08:54.9130538Z
destroyed false
version 3
>vault kv get -version=1 secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds
======= Metadata =======
Key Value
--- -----
created_time 2025-03-21T02:33:30.0039067Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
==== Data ====
Key Value
--- -----
dbid admin
dbpwd foo
>vault kv get -version=2 secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds
======= Metadata =======
Key Value
--- -----
created_time 2025-03-21T02:37:00.2761799Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 2
==== Data ====
Key Value
--- -----
dbid admin
dbpwd new_value
>vault kv rollback -version=1 secret/myAwesomeApp/creds
Key Value
--- -----
created_time 2025-03-21T03:11:07.5823163Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 4
>vault kv get secret/myAwesomeApp/creds
========= Secret Path =========
secret/data/myAwesomeApp/creds
======= Metadata =======
Key Value
--- -----
created_time 2025-03-21T03:11:07.5823163Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 4
==== Data ====
Key Value
--- -----
dbid admin
dbpwd foo
(EOF)
Last updated