{"id":18445852,"url":"https://github.com/voronenko/devops-hashicorp-vault","last_synced_at":"2025-04-15T01:17:00.429Z","repository":{"id":145345173,"uuid":"157848092","full_name":"Voronenko/devops-hashicorp-vault","owner":"Voronenko","description":"Demo repository on vault box setup","archived":false,"fork":false,"pushed_at":"2018-11-16T13:28:49.000Z","size":103,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-15T01:16:49.591Z","etag":null,"topics":["oops-to-devops"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Voronenko.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-11-16T09:57:46.000Z","updated_at":"2019-05-03T11:16:43.000Z","dependencies_parsed_at":"2023-07-03T09:17:19.768Z","dependency_job_id":null,"html_url":"https://github.com/Voronenko/devops-hashicorp-vault","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Voronenko%2Fdevops-hashicorp-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Voronenko%2Fdevops-hashicorp-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Voronenko%2Fdevops-hashicorp-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Voronenko%2Fdevops-hashicorp-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Voronenko","download_url":"https://codeload.github.com/Voronenko/devops-hashicorp-vault/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248986316,"owners_count":21194025,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["oops-to-devops"],"created_at":"2024-11-06T07:07:39.860Z","updated_at":"2025-04-15T01:17:00.421Z","avatar_url":"https://github.com/Voronenko.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\nUnsorted notes\n\nDemo root token  789XX6e5-XXXX-3c96-99f7-XXXXX\n\nDemo key 1  WC8PhXXXX9VAwxYP8PuYXLoyxd7M+XXXXXXXX\n\n\n================================================\n\n\nGreat resource is   https://learn.hashicorp.com/vault/\n\nThings to try\n\n\nvault login\n(token)\n\nvault status\n\nvault kv put secret/hello foo=world\n\n\nvault kv get secret/hello\n\n\nvault kv get -format=json secret/hello\n\nvault kv get -format=json secret/hello | jq -r .data.excited\n\nvault kv get -field=excited secret/hello\n\n\nJust like a filesystem, Vault can enable a secrets engine at many different paths. Each path is completely isolated and cannot talk to other paths. For example, a kv secrets engine enabled at foo has no ability to communicate with a kv secrets engine enabled at bar\n\n\nvault secrets enable -path=kv kv\n\n\nvault secrets list\nPath          Type         Accessor              Description\n----          ----         --------              -----------\ncubbyhole/    cubbyhole    cubbyhole_09638d43    per-token private secret storage\nidentity/     identity     identity_a1a80c13     identity store\nkv/           kv           kv_cc44a09b           n/a\nsecret/       kv           kv_67ccff83           key/value secret storage\nsys/          system       system_eb8c2cdd       system endpoints used for control, policy and debugging\n\n\n\n\nvault secrets disable kv/\n\n\n=========================================\n\nIntegrate with AWS\n\nvault secrets enable -path=aws aws\n\nvault write aws/config/root \\\n    access_key=${AWS_ACCESS_KEY_ID} \\\n    secret_key=${AWS_SECRET_ACCESS_KEY} \\\n    region=${AWS_DEFAULT_REGION}\n\n\n\nThe next step is to configure a role. A role in Vault is a human-friendly identifier to an action. Think of it as a symlink.\n\nVault knows how to create an IAM user via the AWS API, but it does not know what permissions, groups, and policies you want to attach to that user. This is where roles come in - roles map your configuration options to those API calls.\n\n\n\nvault write aws/roles/my-role \\\n        credential_type=iam_user \\\n        policy_document=-\u003c\u003cEOF\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"Stmt1426528957000\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"ec2:*\"\n      ],\n      \"Resource\": [\n        \"*\"\n      ]\n    }\n  ]\n}\nEOF\n\n\nvault read aws/creds/my-role\nKey                Value\n---                -----\nlease_id           aws/creds/my-role/0bce0782-32aa-25ec-f61d-c026ff22106e\nlease_duration     768h\nlease_renewable    true\naccess_key         AKIAJELXXXXXXX\nsecret_key         WWeSnj00W+hHoHJMCXXXXXXXXXXXXXXXXX\nsecurity_token     \u003cnil\u003e\n\n\nEach run access key  / secret key change.\n\n\nSuccess! The access and secret key can now be used to perform any EC2 operations within AWS. Notice that these keys are new, they are not the keys you entered earlier. If you were to run the command a second time, you would get a new access key pair. Each time you read from aws/creds/:name, Vault will connect to AWS and generate a new IAM user and key pair.\n\nTake careful note of the lease_id field in the output. This value is used for renewal, revocation, and inspection. Copy this lease_id to your clipboard. Note that the lease_id is the full path, not just the UUID at the end.\n\nUser names are generated like   vault-root-my-role-1542367188-3540\n\ndrop users/access\n\nvault lease revoke aws/creds/my-role/0bce0782-32aa-25ec-f61d-c026ff22106\nvault lease revoke aws/creds/my-role/c7a7c0ce-7e09-a5ae-d5c0-dbbf3eea326b\n\n===========================\n\nvault path-help aws\n\ndynamically informs what backend serves here.\n\n\n============================================\n\nTokens\n\nToken authentication is enabled by default in Vault and cannot be disabled\n\nThe \"child\" concept here is important: tokens always have a parent, and when that parent token is revoked, children can also be revoked all in one operation. This makes it easy when removing access for a user, to remove access for all sub-tokens that user created as well.\n\n\nIn practice, operators should not use the token create command to generate Vault tokens for users or machines. Instead, those users or machines should authenticate to Vault using any of Vault's configured auth methods such as GitHub, LDAP, AppRole, etc. For legacy applications which cannot generate their own token, operators may need to create a token in advance\n\n\n\n======================================\n\nAuth with github\n\nvault auth enable -path=github github\n\n\nNext, configure the GitHub auth method. Each auth method has different configuration options, so please see the documentation for the full details. In this case, the minimal set of configuration is to map teams to policies.\n\n\nvault write auth/github/config organization=softasap\n\nvault write auth/github/map/teams/Owners value=default\nSuccess! Data written to: auth/github/map/teams/Owners\n\n\n==============================================\n\nvault auth list\nPath       Type      Accessor                Description\n----       ----      --------                -----------\ngithub/    github    auth_github_b740c9a4    n/a\ntoken/     token     auth_token_5f009385     token based credentials\n\n\nThus allows to map users per github organization teams\n\n\n=====================================\n\n\nCan use consul as a backend\n\n\nstorage \"consul\" {\n  address = \"127.0.0.1:8500\"\n  path    = \"vault/\"\n}\n\nlistener \"tcp\" {\n address     = \"127.0.0.1:8200\"\n tls_disable = 1\n}\n\n\n==========================================\n\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoronenko%2Fdevops-hashicorp-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvoronenko%2Fdevops-hashicorp-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoronenko%2Fdevops-hashicorp-vault/lists"}