Last active
July 7, 2022 03:02
-
-
Save voxxit/dd6f95398c1bdc9f1038 to your computer and use it in GitHub Desktop.
Revisions
-
voxxit revised this gist
May 21, 2015 . 1 changed file with 41 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,14 +18,18 @@ Authorizing using the root token: vault auth <root token> ``` ### Dynamic AWS Credentials https://www.vaultproject.io/docs/secrets/aws/index.html ``` $ vault mount aws Successfully mounted 'aws' at 'aws'! $ vault write aws/config/root \ access_key=<aws_access_key_id> \ secret_key=<aws_secret_access_key> \ region=us-east-1 # use http://awspolicygen.s3.amazonaws.com/policygen.html to generate policies # here is an example one which provides full access to <bucket name>: @@ -58,5 +62,35 @@ vault write aws/roles/s3 name=s3 policy=- <<EOF } EOF $ vault read aws/creds/s3 Key Value lease_id aws/creds/s3/7cb8df71-782f-3de1-79dd-251778e49f58 lease_duration 3600 access_key AKIAIOMYUTSLGJOGLHTQ secret_key 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 ``` ### Dynamic MySQL Usernames/Passwords https://www.vaultproject.io/docs/secrets/mysql/index.html ``` $ vault mount mysql Successfully mounted 'mysql' at 'mysql'! $ vault write mysql/config/connection value="root:secret@tcp(mysql:3306)/" Success! Data written to: mysql/config/connection $ vault write mysql/config/lease lease=1h lease_max=24h Success! Data written to: mysql/config/lease $ vault write mysql/roles/readonly sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%';" Success! Data written to: mysql/roles/readonly $ vault read mysql/creds/readonly Key Value lease_id mysql/creds/readonly/bd404e98-0f35-b378-269a-b7770ef01897 lease_duration 3600 password 132ae3ef-5a64-7499-351e-bfe59f3a2a21 username root-aefa635a-18 ``` -
May 21, 2015 . 1 changed file with 57 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,4 +2,61 @@ git clone https://gist.github.com/dd6f95398c1bdc9f1038.git vault cd vault docker-compose up -d export VAULT_ADDR=http://192.168.99.100:8200 ``` Initializing a vault: ``` vault init vault unseal <secret 1> vault unseal <secret 2> vault unseal <secret 3> ``` Authorizing using the root token: ``` vault auth <root token> ``` Mount AWS, and generate dynamic AWS credentials: ``` vault mount aws vault write aws/config/root \ access_key=<aws_access_key_id> \ secret_key=<aws_secret_access_key> \ region=us-east-1 # use http://awspolicygen.s3.amazonaws.com/policygen.html to generate policies # here is an example one which provides full access to <bucket name>: vault write aws/roles/s3 name=s3 policy=- <<EOF { "Statement" : [ { "Effect" : "Allow", "Action" : [ "s3:ListAllMyBuckets" ], "Resource" : "arn:aws:s3:::*" }, { "Effect" : "Allow", "Action" : [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource" : "arn:aws:s3:::<bucket name>" }, { "Effect" : "Allow", "Action" : [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource":"arn:aws:s3:::<bucket name>/*" } ] } EOF vault read aws/creds/s3 ``` -
May 21, 2015 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
May 21, 2015 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
May 21, 2015 . 1 changed file with 5 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1 +1,5 @@ ``` git clone https://gist.github.com/dd6f95398c1bdc9f1038.git vault cd vault docker-compose up -d ``` -
May 21, 2015 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1 @@ `git clone https://gist.github.com/dd6f95398c1bdc9f1038.git vault && cd vault && docker-compose up` -
May 21, 2015 . 3 changed files with 9 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,8 +1,12 @@ { "http_api_response_headers": { "Access-Control-Allow-Origin": "*" }, "client_addr": "0.0.0.0", "datacenter": "dc1", "acl_datacenter": "dc1", "data_dir": "/data", "server": true, "bootstrap": true, "ui_dir": "/ui" } This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -16,6 +16,8 @@ mysql: consul: image: voxxit/consul:latest ports: - 80:8500 volumes: - ./consul.json:/etc/consul.json command: "agent -config-file=/etc/consul.json" This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ backend "consul" { address = "consul:8500" advertise_addr = "consul:8300" scheme = "http" } -
May 21, 2015 . 3 changed files with 35 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,8 @@ { "client_addr": "0.0.0.0", "datacenter": "dc1", "acl_datacenter": "dc1", "data_dir": "/data", "server": true, "bootstrap": true } This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,13 +1,21 @@ vault: image: voxxit/vault:latest volumes: - ./vault.hcl:/etc/vault.hcl links: - "consul:consul" - "mysql:mysql" ports: - 8200:8200 command: "server -config=/etc/vault.hcl" mysql: image: mysql:latest environment: - "MYSQL_ROOT_PASSWORD=secret" consul: image: voxxit/consul:latest volumes: - ./consul.json:/etc/consul.json command: "agent -config-file=/etc/consul.json" This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,12 @@ backend "consul" { address = "consul:8500" advertise_addr = "consul:8301" scheme = "http" } listener "tcp" { address = "0.0.0.0:8200" tls_disable = 1 } disable_mlock = true -
May 21, 2015 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,6 +6,8 @@ vault: mysql: image: mysql environment: - MYSQL_ALLOW_BLANK_PASSWORD=true consul: image: voxxit/consul -
May 21, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,11 @@ vault: image: voxxit/vault links: - consul:consul - mysql:mysql mysql: image: mysql consul: image: voxxit/consul