Starting: 1st of Every Month 
+91 8409492687 
Contact@DevOpsSchool.com
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # First of all we are going to start Vault in development mode | |
| vault server -dev | |
| # Now set your Vault address environment variable | |
| export VAULT_ADDR=http://127.0.0.1:8200 | |
| # And log into Vault using the root token | |
| vault login | |
| # Now we can check and see what policies exist right now | |
| vault policy list | |
| # Pretty much what we expected | |
| # Before we create the policies, let's get a few things set up | |
| # You can skip this if you still have it running from last time | |
| # Enable userpass auth method | |
| vault auth enable userpass | |
| # Add a user | |
| vault write auth/userpass/users/ned password=tacos | |
| # Now we'll create a policy for secrets management | |
| vault policy write secrets-mgmt secrets-mgmt.hcl | |
| vault policy list | |
| vault policy read secrets-mgmt | |
| # Next we'll create a policy for the accounting secrets engine | |
| # First we'll enable the secrets engine | |
| vault secrets enable -path=accounting -version=2 kv | |
| # And we'll add some secrets to the engine | |
| vault kv put accounting/apitokens/d101 token=1234567890 | |
| vault kv put accounting/apitokens/d102 token=1234567890 | |
| vault kv put accounting/apitokens/d103 token=1234567890 | |
| vault kv put accounting/apitokens/privileged/p101 token=1234567890 | |
| # Now we can craft a policy allowing access to the regular tokens | |
| # And denying access to the priveleged tokens | |
| # We will add the policy through the UI |
by
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # First let's try out our accounting policy be associating a policy | |
| # directly with a token | |
| # ROOT SESSION | |
| vault token create -policy=accounting | |
| # ANOTHER SESSION | |
| # Now log in with that token | |
| vault login | |
| # ANOTHER SESSION | |
| # We'll try listing out info in the accounting secrets engine | |
| vault kv list accounting/ | |
| # ANOTHER SESSION | |
| vault kv list accounting/apitokens/ | |
| # ANOTHER SESSION | |
| vault kv list accounting/apitokens/privileged | |
| # ANOTHER SESSION | |
| # Seems to work for listing, let's try reading some secrets | |
| vault kv get accounting/apitokens/d101 | |
| # ANOTHER SESSION | |
| vault kv get accounting/apitokens/privileged/p101 | |
| # ROOT SESSION | |
| # Uh, oh. Looks like we messed something up. Better update that policy to fix it. | |
| # We can do that through the UI or with this command (You'll need to log back in as root) | |
| vault policy write accounting accounting-fixed.hcl | |
| # ANOTHER SESSION | |
| vault kv get accounting/apitokens/privileged/p101 | |
| vault kv list accounting/apitokens/privileged | |
| vault kv list accounting/ | |
| vault kv list accounting/apitokens/ | |
| vault kv get accounting/apitokens/d101 | |
| # Excellent! Next we're going to test out out secrets-mgmt policy | |
| # We are going to assign it to Ned in the userpass auth method | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # We are going to assign a policy to Ned in the userpass auth method | |
| # How do we do that? Path-help to the rescue! | |
| vault path-help auth/userpass/users/ned | |
| # Looks like token_policies should do it | |
| vault write auth/userpass/users/ned token_policies="secrets-mgmt" | |
| # Now we can log in as Ned and try to mount a new secrets engine | |
| vault login -method=userpass username=ned | |
| vault secrets enable -path=testing -version=1 kv | |
| vault secrets list | |
| vault secrets disable testing | |
| vault secrets disable accounting | |
| # Lastly, let's get rid of the accounting policy | |
| vault policy delete accounting | |
| # Wait, Ned can't do that! Let's log in as root again | |
| vault login |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Allow access to all accounting data | |
| path "accounting/data/*" { | |
| capabilities = ["create", "read", "update", "delete", "list"] | |
| } | |
| # Allow access to metadata for kv2 | |
| path "accounting/metadata/*" { | |
| capabilities = ["list"] | |
| } | |
| # Deny access to privileged accounting data | |
| path "accounting/data/apitokens/privileged*" { | |
| capabilities = ["deny"] | |
| } | |
| path "accounting/metadata/apitokens/privileged*" { | |
| capabilities = ["deny"] | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Allow access to all accounting data | |
| path "accounting/data/*" { | |
| capabilities = ["create", "read", "update", "delete", "list"] | |
| } | |
| # Allow access to metadata for kv2 | |
| path "accounting/metadata/*" { | |
| capabilities = ["list"] | |
| } | |
| # Deny access to privileged accounting data | |
| path "accounting/data/apitokens/privleged*" { | |
| capabilities = ["deny"] | |
| } | |
| path "accounting/metadata/apitokens/privileged*" { | |
| capabilities = ["deny"] | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Manage secrets engines | |
| path "sys/mounts/*" | |
| { | |
| capabilities = ["create", "read", "update", "delete", "list", "sudo"] | |
| } | |
| # List existing secrets engines. | |
| path "sys/mounts" | |
| { | |
| capabilities = ["read"] | |
| } |
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I am working at Cotocus. I blog tech insights at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at I reviewed , and SEO strategies at Wizbrand.
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at PINTEREST
Rajesh Kumar at QUORA
Rajesh Kumar at WIZBRAND
