Created
August 30, 2018 13:58
-
-
Save stenio123/8784da338ec23e53dbc823716208e42a to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| New test | |
| # Mount database backend | |
| vault mount database | |
| # Configure MySQL connection | |
| vault write database/config/mysql \ | |
| plugin_name=mysql-legacy-database-plugin \ | |
| connection_url="vaultadmin:vaultadminpassword@tcp(127.0.0.1:3306)/" \ | |
| allowed_roles="readonly" | |
| # Create MySQL readonly role | |
| vault write database/roles/readonly \ | |
| db_name=mysql \ | |
| creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \ | |
| default_ttl="30m" \ | |
| max_ttl="24h" | |
| ----------------------------------------- | |
| # Read a set of credentials from the role | |
| vault read database/creds/readonly | |
| # Output: | |
| Key Value | |
| --- ----- | |
| lease_id database/creds/readonly/afc69c10-561f-e17f-6a38-017e1068ba85 | |
| lease_duration 30m0s | |
| lease_renewable true | |
| password A1a-rsrpx2s9ssr179r9 | |
| username v-read-25vtuw15s | |
| ------------------------------------------ | |
| # Check mount max_ttl | |
| vault read sys/mounts/database/tune | |
| # Output: | |
| Key Value | |
| --- ----- | |
| default_lease_ttl 2764800 | |
| force_no_cache false | |
| max_lease_ttl 2764800 | |
| ------------------------------------------ | |
| # Update mount max_ttl | |
| vault write sys/mounts/database/tune max_lease_ttl=30 | |
| # Check value: | |
| vault read sys/mounts/database/tune | |
| # Output: | |
| Key Value | |
| --- ----- | |
| default_lease_ttl 2764800 | |
| force_no_cache false | |
| max_lease_ttl 30 | |
| ------------------------------------------ | |
| # Read credentials | |
| vault read database/creds/readonly | |
| # Output - see how now the lease duration is 30s, constrained by the new mount max_ttl. | |
| # Remember, the leases inside a mount cant be greater than either the mount or the system default. | |
| Key Value | |
| --- ----- | |
| lease_id database/creds/readonly/8ed12999-381e-4dac-3288-6840eeaf4f06 | |
| lease_duration 30s | |
| lease_renewable true | |
| password A1a-q6w01tyu72uz51v1 | |
| username v-read-38u5wv14u | |
| ----------------------------------------- | |
| # Now we restore the mount's max_ttl to default 32 days: | |
| vault write sys/mounts/database/tune max_lease_ttl=2764800 | |
| # To check: | |
| vault read sys/mounts/database/tune | |
| # Output | |
| Key Value | |
| --- ----- | |
| default_lease_ttl 2764800 | |
| force_no_cache false | |
| max_lease_ttl 2764800 | |
| _________________________________________ | |
| # Now let's change the system max_ttl, which is done in the Vault configuration file. | |
| # In order to do that, we need to first stop the process running vault: | |
| ps aux | grep vault | |
| # Output: | |
| root 5266 0.0 4.8 62364 24224 ? Sl 13:43 0:00 /usr/local/bin/vault server -dev -dev-root-token-id=password -dev-listen-address=0.0.0.0:8200 | |
| # Now we kill the process: | |
| sudo kill -9 5266 | |
| # Now edit your Vault config, reference for possible values here: https://www.vaultproject.io/docs/configuration/index.html. | |
| # For example: | |
| ------------------------------------------- | |
| vault.hcl: | |
| storage "file" { | |
| path = "/home/vagrant/data" | |
| } | |
| listener "tcp" { | |
| address = "0.0.0.0:8200" | |
| tls_disable = 1 | |
| } | |
| max_lease_ttl = "30s" | |
| # cannot have DefaultLeaseTTL larger than MaxLeaseTTL | |
| default_lease_ttl="30s" | |
| ui = true | |
| -------------------------------------------- | |
| # Start Vault normally: | |
| vault server -config=vault.hcl & | |
| vault init | |
| vault unseal ... | |
| vault auth .. | |
| # Now if we check the database tune: | |
| vault read sys/mounts/database/tune | |
| # Output | |
| Key Value | |
| --- ----- | |
| default_lease_ttl 30 | |
| force_no_cache false | |
| max_lease_ttl 30 | |
| # And if we generate a credential: | |
| vault read database/creds/readonly | |
| # Output | |
| Key Value | |
| --- ----- | |
| lease_id database/creds/readonly/9904bbd2-d27d-cba5-bdc0-95708daea880 | |
| lease_duration 30s | |
| lease_renewable true | |
| password A1a-ss1z6s92v168qrv9 | |
| username v-read-88rqxx3p0 | |
| # Even though in the configuration we have 30 mins. | |
| vault read database/roles/readonly | |
| # Output | |
| Key Value | |
| --- ----- | |
| creation_statements CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%'; | |
| db_name mysql | |
| default_ttl 1800 | |
| max_ttl 86400 | |
| renew_statements | |
| revocation_statements | |
| rollback_statements | |
| # This shows that the system max_ttl and the mount max_ttl set the maximum boundary of a configuration. | |
| Unseal Key 1: N+TPFLaCMTY7GTtHUKNdi1L0Qp0RzF3FGqpCB8kKwKY= | |
| Initial Root Token: 39f5005d-2684-26f4-f00e-c0f8c8d646c8 | |
| The "period" parameter will work as the TTL for the token, which needs to be renewed within that period. If it doesn't, Vault will not accept requests using that token until it is renewed. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment