Created
August 22, 2016 14:39
-
-
Save tuxpower/b612db6cb8db414b4c5e540dd4b939d0 to your computer and use it in GitHub Desktop.
Docker - store secrets using Hashicorp Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat vault.hcl | |
| backend "consul" { | |
| address = "consul:8500" | |
| advertise_addr = "consul:8300" | |
| scheme = "http" | |
| } | |
| listener "tcp" { | |
| address = "0.0.0.0:8200" | |
| tls_disable = 1 | |
| } | |
| disable_mlock = true | |
| $ docker create -v /config --name config busybox | |
| Unable to find image 'busybox:latest' locally | |
| latest: Pulling from library/busybox | |
| 8ddc19f16526: Pull complete | |
| Digest: sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6 | |
| Status: Downloaded newer image for busybox:latest | |
| 8e927bf8ddcc8e133c5dead890ed45346b779ec78c4a9b6cf507a0852ed93753 | |
| $ docker cp vault.hcl config:/config/ | |
| $ docker run -d --name consul -p 8500:8500 consul:v0.6.4 agent -dev -client=0.0.0.0 | |
| Unable to find image 'consul:v0.6.4' locally | |
| v0.6.4: Pulling from library/consul | |
| 6c123565ed5e: Pull complete | |
| c360837a94e2: Pull complete | |
| 4e298b2da1e2: Pull complete | |
| 46f89b06fcc9: Pull complete | |
| 3f453ecb18c0: Pull complete | |
| Digest: sha256:0dc990ff3c44d5b5395475bcc5ebdae4fc8b67f69e17942a8b9793b3df74d290 | |
| Status: Downloaded newer image for consul:v0.6.4 | |
| 0293c84358b712411dcf073bfba2dd1c17175bcbeea42b483f2c5c799225070c | |
| $ docker run -d --name vault-dev --link consul:consul -p 8200:8200 --volumes-from config cgswong/vault:latest server -config=/config/vault.hcl | |
| Unable to find image 'cgswong/vault:latest' locally | |
| latest: Pulling from cgswong/vault | |
| 06e3f498f3b8: Pull complete | |
| 5921762cfe8b: Pull complete | |
| Digest: sha256:e96fe04b9baa74a03de04873fa3a7245952f28327715c702ad2ea2b8dab5eaa3 | |
| Status: Downloaded newer image for cgswong/vault:latest | |
| 224334215e85650f3ec5611b44b5e26b938eb4496423f01aa060dbe3c1a3776d | |
| $ alias vault='docker exec -it vault-dev vault "$@"' | |
| $ export VAULT_ADDR=http://127.0.0.1:8200 | |
| $ vault init -address=${VAULT_ADDR} > keys.txt | |
| ldcl140286m:Downloads jgaspar$ cat keys.txt | |
| Key 1: a64457ef0382ccdf68080aaa89a526cfdd58105dcfe91d47edb36d6abf29e26f01 | |
| Key 2: 4cbaacd1c6567ae13aee2adf2a7a5d7d2f847b19f35ac9af5ea943072cf4df9802 | |
| Key 3: 55e40dc8ce971fe4a82941fa76f525b817760772531c4e40c7e2d1b4345d0b4003 | |
| Key 4: 6b314eecd36f7068b06bb54737c5b951b49fd3a17da13f832c6ba6c4709c8ccf04 | |
| Key 5: 726feff5dbae156d22acde626b4ac1948c6dafcadde7b86cb52034776835581705 | |
| Initial Root Token: 89580eb4-17b7-443c-8f80-1de7b84e4165 | |
| Vault initialized with 5 keys and a key threshold of 3. Please | |
| securely distribute the above keys. When the Vault is re-sealed, | |
| restarted, or stopped, you must provide at least 3 of these keys | |
| to unseal it again. | |
| Vault does not store the master key. Without at least 3 keys, | |
| your Vault will remain permanently sealed. | |
| $ vault unseal -address=${VAULT_ADDR} $(grep 'Key 1:' keys.txt | awk '{print $NF}') | |
| Sealed: true | |
| Key Shares: 5 | |
| Key Threshold: 3 | |
| Unseal Progress: 1 | |
| $ vault unseal -address=${VAULT_ADDR} $(grep 'Key 2:' keys.txt | awk '{print $NF}') | |
| Sealed: true | |
| Key Shares: 5 | |
| Key Threshold: 3 | |
| Unseal Progress: 2 | |
| $ vault unseal -address=${VAULT_ADDR} $(grep 'Key 3:' keys.txt | awk '{print $NF}') | |
| Sealed: false | |
| Key Shares: 5 | |
| Key Threshold: 3 | |
| Unseal Progress: 0 | |
| $ vault status -address=${VAULT_ADDR} | |
| Sealed: false | |
| Key Shares: 5 | |
| Key Threshold: 3 | |
| Unseal Progress: 0 | |
| High-Availability Enabled: true | |
| Mode: active | |
| Leader: consul:8300 | |
| $ export VAULT_TOKEN=$(grep 'Initial Root Token:' keys.txt | awk '{print substr($NF, 1, length($NF)-1)}') | |
| $ echo $VAULT_TOKEN | |
| 89580eb4-17b7-443c-8f80-1de7b84e4165 | |
| $ vault auth -address=${VAULT_ADDR} ${VAULT_TOKEN} | |
| Successfully authenticated! | |
| token: 89580eb4-17b7-443c-8f80-1de7b84e4165 | |
| token_duration: 0 | |
| token_policies: [root] | |
| $ vault write -address=${VAULT_ADDR} secret/api-key value=12345678 | |
| Success! Data written to: secret/api-key | |
| $ vault read -address=${VAULT_ADDR} secret/api-key | |
| Key Value | |
| lease_duration 2592000 | |
| value 12345678 | |
| $ vault read -address=${VAULT_ADDR} -field=value secret/api-key | |
| 12345678 | |
| $ curl -H "X-Vault-Token:$VAULT_TOKEN" -X GET ${VAULT_ADDR}/v1/secret/api-key | |
| {"lease_id":"","renewable":false,"lease_duration":2592000,"data":{"value":"12345678"},"warnings":null,"auth":null} | |
| $ curl -s -H "X-Vault-Token:$VAULT_TOKEN" -X GET ${VAULT_ADDR}/v1/secret/api-key | jq '.' | |
| { | |
| "lease_id": "", | |
| "renewable": false, | |
| "lease_duration": 2592000, | |
| "data": { | |
| "value": "12345678" | |
| }, | |
| "warnings": null, | |
| "auth": null | |
| } | |
| $ curl -s -H "X-Vault-Token:$VAULT_TOKEN" -X GET ${VAULT_ADDR}/v1/secret/api-key | jq -r .data.value | |
| 12345678 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment