Repository for Vault demos. Vault/Consul container based on Alpine Linux.
Download the Vault client for your laptop here (or use Homebrew): https://vaultproject.io/downloads.html
This is the IP address of the Docker host including the port that the Vault server is listening on, 8200 by default. For docker-machine it would be:
VAULT_ADDR="http://192.168.99.100:8200"
This is the authentication token needed to access Vault. The root token is created upon initialization of Vault. Using the root token from the next example would look like:
VAULT_TOKEN=1845d3df-0d21-ac4a-84de-b444e7540927
$ docker-compose up
$ export VAULT_ADDR="http://$docker_host_ip:8200"
$ vault init -key-shares=1 -key-threshold=1
Key 1: ec07477efcf07a319977e45cf3d3925f36f83ccbf1a092ff5f5c1e582b5ec042
Initial Root Token: 1845d3df-0d21-ac4a-84de-b444e7540927
Vault initialized with 1 keys and a key threshold of 1. Please
securely distribute the above keys. When the Vault is re-sealed,
restarted, or stopped, you must provide at least 1 of these keys
to unseal it again.
Vault does not store the master key. Without at least 1 keys,
your Vault will remain permanently sealed.
$ vault unseal
$ export VAULT_TOKEN=$vault_root_token
$ vault write secret/foo value=bar
Success! Data written to: secret/foo
$ vault read secret/foo
Key Value
lease_duration 2592000
value bar
$ vault delete secret/foo
Success! Deleted 'secret/foo'
$ vi sample_policy.hcl
$ cat sample_policy.hcl
path "secret/app1/*" {
policy = "write"
}
path "secret/app1/passwords/*" {
policy = "deny"
}
$ vault policy-write sample sample_policy.hcl
Policy 'sample' written.
$ vault token-create -policy=sample
Key Value
token d0d56c63-bc88-2e5a-0fbe-26eec7cb5755
token_duration 2592000
token_renewable true
token_policies [sample]
$ vault write secret/app1/usernames/bob email=bob@bob.com
Success! Data written to: secret/app1/usernames/bob
$ vault read secret/app1/passwords/bob
Error reading secret/app1/passwords/bob: Error making API request.
URL: GET http://192.168.99.100:8200/v1/secret/app1/passwords/bob
Code: 403. Errors:
* permission denied
$ vault mount mysql
Successfully mounted 'mysql' at 'mysql'!
$ vault write mysql/config/connection value="root:secret@tcp(mysql:3306)/"
Success! Data written to: mysql/config/connection
$ vault write mysql/roles/select sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%';"
Success! Data written to: mysql/roles/select
$ vault read mysql/creds/select
Key Value
lease_id mysql/creds/select/47ff1f5f-be45-9ddd-40da-426e92bac023
lease_duration 3600
lease_renewable true
password bc8f8fd6-d4b1-dc23-525b-fca6da5ccae3
username root-a0128255-b6
$ mysql -u root-a0128255-b6 -pbc8f8fd6-d4b1-dc23-525b-fca6da5ccae3 -h $"$docker_host_ip"
mysql> use mysql;
mysql> select User from user;
+------------------+
| User |
+------------------+
| root |
| root-a0128255-b6 |
+------------------+
2 rows in set (0.00 sec)