Manage Secrets & Protect Sensitive Data
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
brew tap hashicorp/tap
brew install hashicorp/tap/vault
# https://releases.hashicorp.com/vault/1.10.3/vault_1.10.3_darwin_arm64.zip
vault -version
valut -help
vault server -dev
export VAULT_ADDR='http://127.0.0.1:8200'
echo "UnBLNVCNZUzmThbPSfzAnNgbzgXyZo7OVwIzkC144Rc=" > ~/Apps/Vault/unseal.key
export VAULT_DEV_ROOT_TOKEN='hvs.ehNlzsKeUoh8bx5fHzXQmvCL'
vault status
# create a secret
vault kv put secret/hello foo=world
vault kv put secret/hello foo=world excited=yes
vault kv list secret
vault kv get secret/hello
vault kv get -field=excited secret/hello
vault kv get -format=json secret/hello
vault kv delete secret/hello
|
Secrets Engines
1
2
3
4
5
6
7
|
vault secrets list
# 如果 -path 与 后面 name 相同 相当于 `vault secrets enable kv`
vault secrets enable -path=kv kv
vault secrets list
vault kv put kv/hello target=world
vault kv list kv/
vault secrets disable kv/
|
Authentication
token authentication
1
2
3
4
|
vault token create
vault login
# 撤销 touken
vault token revoke s.iyNUhq8Ov4hIAx6snw5mB2nL
|
GitHub authentication
1
2
3
4
5
6
7
8
9
|
vault auth enable github
vault write auth/github/config organization=hashicorp
vault write auth/github/map/teams/engineering value=default,applications
vault auth list
vault login -method=github
vault auth disable github
|
Spring 集成
1
2
3
4
5
|
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-core</artifactId>
<version>2.3.1</version>
</dependency>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
@Configuration
public class AppConfig extends AbstractVaultConfiguration {
/**
* Specify an endpoint for connecting to Vault.
*/
@Override
public VaultEndpoint vaultEndpoint() {
return new VaultEndpoint();
}
/**
* Configure a client authentication.
* Please consider a more secure authentication method
* for production use.
*/
@Override
public ClientAuthentication clientAuthentication() {
return new TokenAuthentication("…");
}
}
public class MyApp {
@Autowired VaultOperations vaultOperations;
public void useVault() {
Secrets secrets = new Secrets();
secrets.username = "hello";
secrets.password = "world";
vaultOperations.write("secret/myapp", secrets);
VaultResponseSupport<Secrets> response = vaultOperations.read("secret/myapp", Secrets.class);
System.out.println(response.getData().getUsername());
vaultOperations.delete("secret/myapp");
}
}
@Configuration
@VaultPropertySource("secret/my-application")
public class AppConfig {
@Autowired Environment env;
@Bean
public TestBean testBean() {
TestBean testBean = new TestBean();
testBean.setPassword(env.getProperty("database.password"));
return testBean;
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
V@SpringBootApplication
public class Example implements CommandLineRunner {
public static void main(String[] args) {
ConfigurableApplicationContext context = SpringApplication.run(Example.class, args);
context.close();
}
@Override
public void run(String... strings) throws Exception {
VaultEndpoint vaultEndpoint = new VaultEndpoint();
vaultEndpoint.setHost("127.0.0.1");
vaultEndpoint.setPort(8200);
vaultEndpoint.setScheme("http");
// Authenticate
VaultTemplate vaultTemplate = new VaultTemplate(
vaultEndpoint,
new TokenAuthentication("dev-only-token"));
// Write a secret
Map<String, String> data = new HashMap<>();
data.put("password", "Hashi123");
Versioned.Metadata createResponse = vaultTemplate
.opsForVersionedKeyValue("secret")
.put("my-secret-password", data);
System.out.println("Secret written successfully.");
// Read a secret
Versioned<Map<String, Object>> readResponse = vaultTemplate
.opsForVersionedKeyValue("secret")
.get("my-secret-password");
String password = "";
if (readResponse != null && readResponse.hasData()) {
password = (String) readResponse.getData().get("password");
}
if (!password.equals("Hashi123")) {
throw new Exception("Unexpected password");
}
System.out.println("Access granted!");
}
}
|
附录