Skip to content

Instantly share code, notes, and snippets.

@describeme
Forked from harshavardhana/vault-prod.md
Created December 19, 2019 12:38
Show Gist options
  • Save describeme/13a44e17bf9bec4793199ab7fc62f0eb to your computer and use it in GitHub Desktop.
Save describeme/13a44e17bf9bec4793199ab7fc62f0eb to your computer and use it in GitHub Desktop.

Start vault with file backend

~ docker run --rm --cap-add=IPC_LOCK --name vault -e 'VAULT_LOCAL_CONFIG={"api_addr": "http://127.0.0.1:8200", "backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h",  "listener": { "tcp": { "address": "0.0.0.0:8200", "tls_disable": 1 } }, "ui": true}' vault server
==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: true
                 Storage: file
                 Version: Vault v1.1.3
             Version Sha: 9bc820f700f83a7c4bcab54c5323735a581b34eb

==> Vault server started! Log data will stream in below

Vault initialization

~ docker exec -it vault /bin/sh
~ export VAULT_ADDR='http://127.0.0.1:8200'
~ cat > vaultpolicy.hcl <<EOF
path "transit/datakey/plaintext/my-minio-key" { 
  capabilities = [ "read", "update"]
}
path "transit/decrypt/my-minio-key" { 
  capabilities = [ "read", "update"]
}
path "transit/encrypt/my-minio-key" { 
  capabilities = [ "read", "update"]
}

EOF
~ vault operator init
Unseal Key 1: eyW/+8ZtsgT81Cb0e8OVxzJAQP5lY7Dcamnze+JnWEDT
Unseal Key 2: 0tZn+7QQCxphpHwTm6/dC3LpP5JGIbYl6PK8Sy79R+P2
Unseal Key 3: cmhs+AUMXUuB6Lzsvgcbp3bRT6VDGQjgCBwB2xm0ANeF
Unseal Key 4: /fTPpec5fWpGqWHK+uhnnTNMQyAbl5alUi4iq2yNgyqj
Unseal Key 5: UPdDVPto+H6ko+20NKmagK40MOskqOBw4y/S51WpgVy/

Initial Root Token: s.zaU4Gbcu0Wh46uj2V3VuUde0

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

Vault unseal to add new settings

Use any of the previously generated keys to unseal the vault

~ vault operator unseal <key_1>
~ vault operator unseal <key_2>
~ vault operator unseal <key_3>
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false  ---> NOTE: vault is unsealed
Total Shares    5
Threshold       3
Version         1.1.3
Cluster Name    vault-cluster-3f084948
Cluster ID      8c92e999-7062-4da6-4434-0fc05f34824d
HA Enabled      false

Configure vault settings

Obtain root token from vault operator init output, it is usually displayed as Initial Root Token: s.zaU4Gbcu0Wh46uj2V3VuUde0

~ export VAULT_TOKEN=s.zaU4Gbcu0Wh46uj2V3VuUde0
~ vault auth enable approle  # enable approle style auth
Success! Enabled approle auth method at: approle/

~ vault secrets enable transit  # enable transit secrets engine
Success! Enabled the transit secrets engine at: transit/

~ vault write -f  transit/keys/my-minio-key  # define a encryption key-ring for the transit path
Success! Data written to: transit/keys/my-minio-key

~ vault policy write minio-policy ./vaultpolicy.hcl  # define a policy for AppRole to access transit path
Success! Uploaded policy: minio-policy

~ vault write auth/approle/role/my-role token_num_uses=0  secret_id_num_uses=0  period=5m # period indicates it is renewable 
if token is renewed before the period is over
Success! Data written to: auth/approle/role/my-role

~ # define an AppRole
~ vault write auth/approle/role/my-role policies=minio-policy # apply policy to role
Success! Data written to: auth/approle/role/my-role
~ vault read auth/approle/role/my-role/role-id  # get Approle ID
Key        Value
---        -----
role_id    8c03926c-6c51-7a1d-cf7d-62e48ab8d6d7
~ vault write -f auth/approle/role/my-role/secret-id
Key                   Value
---                   -----
secret_id             edd8738c-6efe-c226-74f9-ef5b66e119d7
secret_id_accessor    57d1db64-6350-c321-4a3e-fc6aeb7d00b6

Configure MinIO to talk to vault

~ docker run --rm --network bridge -p 9000:9000 -e MINIO_ACCESS_KEY=minio -e MINIO_SECRET_KEY=minio123 -e MINIO_SSE_VAULT_APPROLE_ID=8c03926c-6c51-7a1d-cf7d-62e48ab8d6d7 -e MINIO_SSE_VAULT_APPROLE_SECRET=edd8738c-6efe-c226-74f9-ef5b66e119d7 -e MINIO_SSE_VAULT_ENDPOINT=http://172.17.0.2:8200 -e MINIO_SSE_VAULT_KEY_NAME=my-minio-key -e MINIO_SSE_VAULT_AUTH_TYPE=approle minio/minio server /data

Endpoint:  http://172.17.0.3:9000  http://127.0.0.1:9000      

Browser Access:
   http://172.17.0.3:9000  http://127.0.0.1:9000      

Object API (Amazon S3 compatible):
   Go:         https://docs.min.io/docs/golang-client-quickstart-guide
   Java:       https://docs.min.io/docs/java-client-quickstart-guide
   Python:     https://docs.min.io/docs/python-client-quickstart-guide
   JavaScript: https://docs.min.io/docs/javascript-client-quickstart-guide
   .NET:       https://docs.min.io/docs/dotnet-client-quickstart-guide
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment