Skip to content

Instantly share code, notes, and snippets.

View stenio123's full-sized avatar

Stenio Ferreira stenio123

58 followers · 15 following
View GitHub Profile
@stenio123
stenio123 / Sign.MD
Last active February 23, 2023 22:16
Signing a base64 string with Vault Transit Secret Engine

This code shows the steps to enable the transit secret engine, configure a key, and use the sign leveraging Vault.

vault secrets enable transit

# Default key type doesn't support signing
vault write -f transit/keys/my-key type=rsa-4096

# Encode a string as base64
echo -n 'This was created by Stenio, you can trust me!' | openssl base64
@stenio123
stenio123 / NomadDemo.md
Last active December 13, 2018 19:47
Resources to demo nomad
@stenio123
stenio123 / vault-token-role-via-api.sh
Created October 17, 2018 13:21 — forked from greenbrian/vault-token-role-via-api.sh
HashiCorp Vault Token Role overview
# start vault in dev mode
VAULT_UI=true vault server -dev -dev-root-token-id="password"
# write some secrets for our example usage
curl --request POST \
--silent \
--header "X-Vault-Token: password" \
--header "Content-Type: application/json" \
--data '{ "options": { "cas": 0 }, "data": { "username": "administrator", "password": "hunter2" } }' \
http://127.0.0.1:8200/v1/secret/data/dev | jq '.'
@stenio123
stenio123 / Vault_namespace_demo.md
Created October 12, 2018 21:56
Testing Vault Namespaces

Vault Namespaces Demo

Vault Namespaces supports a variety of ways of interacting with Vault.

# Config
vault namespace create marketing

echo '
path "secret/*" {
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
@stenio123
stenio123 / Cubbyhole.md
Created October 12, 2018 15:44
Share single use secret stored in Vault

Cubbyhole Single Use Secret

By leveraging the Cubbyhole secret engine, we can store a secret that only one token can retrieve. Once that token is expired or revoked, the secret is gone. When creating the token, you can limit number of uses.

# Creates token that will be shared. It will be used once to write a secret, second time to read then it is revoked
vault token create -use-limit=2 -policy=default -metadata="name=stenio"
# Output -<TOKEN>
@stenio123
stenio123 / Vault-PKI-demo.md
Last active October 11, 2018 20:28
Using Vault to retrieve short lived certificates, and Consul Template to transparently manage the renewal

PKI Secret Engine

Create Limited Policy and Token for this demo

cat > pki.policy <<EOA
# Enable secrets engine
path "sys/mounts/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}
@stenio123
stenio123 / Vault_examples.md
Last active November 13, 2022 14:25
Vault Examples

Vault Examples

Examples highligthing different Vault features.

To have a list of valid CLI flags, use

vault -h
vault <FEATURE> -h

HA Replication

@stenio123
stenio123 / README.md
Created September 7, 2018 15:59
Steps to deploy custom gem (Vault-ruby as example)
  1. Clone git repository:
git clone [email protected]:stenio123/vault-ruby.git
  1. Move to desired branch:
git checkout added-namespaces
@stenio123
stenio123 / README.md
Created August 31, 2018 19:38
Testing changing the number of times a secret id can be used once it has been issued

Enable AppRole

vault enable approle

Create role, and specify number of times SecretId can be used

vault write auth/approle/role/my-role     secret_id_ttl=10m     token_num_uses=10     token_ttl=20m     token_max_ttl=30m     secret_id_num_uses=40
@stenio123
stenio123 / Vault change dynamic DB TTL
Created August 30, 2018 13:58
New test
# Mount database backend
vault mount database
# Configure MySQL connection
vault write database/config/mysql \
plugin_name=mysql-legacy-database-plugin \
connection_url="vaultadmin:vaultadminpassword@tcp(127.0.0.1:3306)/" \
allowed_roles="readonly"