🚀 DevOps & SRE Certification Program 📅 Starting: 1st of Every Month 🤝 +91 8409492687 🔍 Contact@DevOpsSchool.com

Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours on Instagram and YouTube and waste money on coffee and fast food, but won’t spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Uncategorised

Hashicorp Vault: Linux – Lab Manual – Working with Secret Engines

October 12, 2022 Leave a Comment
# First of all we are going to start Vault in development mode
vault server -dev
# Now set your Vault address environment variable
export VAULT_ADDR=http://127.0.0.1:8200
# Set the root token variable
root_token=ROOT_TOKEN_VALUE
root_token=hvs.97sEUuUl2t6a5z1sqoZu791K
# And log into Vault using the root token
vault login $root_token
# Let's first see which secrets engines are enabled
vault secrets list
# Now let's get our secrets engines enabled
# We'll start with the enabling the K/V engine
vault secrets enable -path=GloboKV -version=2 kv
# Maybe we want to configure some settings for GloboKV
vault path-help /sys/mounts/GloboKV
vault secrets tune -description="Globomantics K/V version 2" GloboKV
# Awesome, now let's go enable Consul through the UI
OR
vault secrets enable consul
view raw 1-enable-engines.sh hosted with ❤ by GitHub
# What types of things can we set on the K/V engine?
vault path-help GloboKV/
vault path-help GloboKV/config
# Why don't we check the current settings?
vault read GloboKV/config
# Let's set the max_versions to 5
vault write GloboKV/config max_versions=5
view raw 2-configure-kv-engine.sh hosted with ❤ by GitHub
# You are going to need the consul binary to follow along here.
# You can get it by going to https://www.consul.io/downloads
# https://developer.hashicorp.com/consul/downloads?host=www.consul.io
# We are going to start up a basic instance of Consul and
# get a token with permissions to generate new token.
# You don't need to know much about Consul aside from the
# fact it uses tokens for authentication and authorization
# just like Vault.
# Create a data subdirectory in m7
mkdir data
# Launch consul server instance
consul agent -bootstrap -config-file="consul-config.hcl" -bind="127.0.0.1"
# From a separate terminal window run the following
consul acl bootstrap
# Set CONSUL_HTTP_TOKEN to SecretID
# Linux and MacOS
export CONSUL_HTTP_TOKEN=SECRETID_VALUE
export CONSUL_HTTP_TOKEN=d8b303ca-e105-b7f9-2ffe-be664d5b0876
# Next we have to create a policy and role for new tokens
# that Vault will generate on Consul
consul acl policy create -name=web -rules @web-policy.hcl
# Now we'll configure out Consul secrets engine
vault path-help consul/
vault path-help consul/config/access
vault write consul/config/access address="http://127.0.0.1:8500" token=$CONSUL_HTTP_TOKEN
vault write consul/config/access address="http://127.0.0.1:8500" token=$CONSUL_HTTP_TOKEN
# And add a role to provision tokens with a ttl of 1 hour and a max of 2 hours
vault path-help consul/roles/web
vault write consul/roles/web name=web policies=web ttl=3600 max_ttl=7200
# Now how do we use this role to get a token? By using the creds path
vault path-help consul/creds/web
vault read consul/creds/web
# Check on the consul side and we can see the token created
consul acl token list -format=json | jq .[].AccessorID
consul acl token list
view raw 3-configure-consul.sh hosted with ❤ by GitHub
vault secrets list
# Let's try adding some values to our kv engine
vault kv put GloboKV/apitokens/d101 token=version1
vault kv put GloboKV/apitokens/d102 token=version1
vault kv put GloboKV/apitokens/d103 token=version1
# Now let's try and list the keys
vault kv list GloboKV/apitokens
# Nice, let's read one of the values
vault kv get GloboKV/apitokens/d101
# What if we update the value?
vault kv put GloboKV/apitokens/d101 token=version2
vault kv put GloboKV/apitokens/d102 token=version2
vault kv put GloboKV/apitokens/d103 token=version2
# Can we still get version 1? Sure can.
vault kv get GloboKV/apitokens/d101
vault kv get -version=1 GloboKV/apitokens/d101
# How do we go about deleting an older version?
vault kv delete -versions=1 GloboKV/apitokens/d101
# Don't worry it's not really gone
vault kv metadata get GloboKV/apitokens/d101
vault kv get GloboKV/apitokens/d101
# We can recover it by doing the following
vault kv undelete -versions=1 GloboKV/apitokens/d101
vault kv get -version=1 GloboKV/apitokens/d101
# Destroy is what actually removes it
vault kv destroy -versions=1 GloboKV/apitokens/d101
vault kv metadata get GloboKV/apitokens/d101
# The reference is still there, but the value is gone!
# We can delete everything by deleting the metadate too
vault kv metadata delete GloboKV/apitokens/d101
vault kv list GloboKV/apitokens
# What about using the API?
# Make sure you have the root token stored in $root_token
curl --header "X-Vault-Token: $root_token" \
$VAULT_ADDR/v1/GloboKV/data/apitokens/d102 | jq
# If we want a specific version, we can add a query string
curl --header "X-Vault-Token: $root_token" \
$VAULT_ADDR/v1/GloboKV/data/apitokens/d102?version=1 | jq
# We can also get at these secrets using the UI
view raw 4-interacting-kv-engine hosted with ❤ by GitHub
# Let's say we want to retrieve a secret and response wrap it
# First we'll do it using a secret in the GloboKV store
vault kv get -wrap-ttl=30m GloboKV/apitokens/d102
# Now we can use the wrapping token value to read the value
vault unwrap WRAPPING_TOKEN_ID
# If we lookup the token after using it, it's gone!
vault token lookup WRAPPING_TOKEN_ID
# What if we wanted to generate credentials for Consul and pass
# those securely to someone else? Let's try that now
vault read -wrap-ttl=30m consul/creds/web
# Let's check on the token this time
vault token lookup WRAPPING_TOKEN_ID
vault token lookup hvs.CAESIFkRsA_8awXL9S-p8lAmw_zz7-n_F6rsrcq9SjrGMKd_Gh4KHGh2cy5KbUdHN0w1TlBoNVE3Y2pUUDUxeUFQTXo
# And now let's retrieve the Consul token created for us
vault unwrap WRAPPING_TOKEN_ID
vault unwrap hvs.CAESIFkRsA_8awXL9S-p8lAmw_zz7-n_F6rsrcq9SjrGMKd_Gh4KHGh2cy5KbUdHN0w1TlBoNVE3Y2pUUDUxeUFQTXo
view raw 5-response-wrapping.sh hosted with ❤ by GitHub
## server.hcl
ui = true
server = true
bootstrap_expect = 1
datacenter = "dc1"
data_dir = "./data"
acl = {
enabled = true
default_policy = "deny"
enable_token_persistence = true
}
view raw consul-config.hcl hosted with ❤ by GitHub
service "web" {
policy = "read"
}
view raw web-policy.hcl hosted with ❤ by GitHub
Subscribe
Notify of
guest


0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x