[~/Git/Vault-Presentation] export VAULT_ADDR='http://127.0.0.1:8200'
[~/Git/Vault-Presentation] ROOT_TOKEN=$(docker logs vault-server 2>&1| grep "Root Token"| awk '{print $3}')
[~/Git/Vault-Presentation] vault auth ${ROOT_TOKEN?}
Successfully authenticated! You are now logged in.
token: 85edb328-ca3d-8e0e-47ac-0f790a802bad
token_duration: 0
token_policies: [root]
Mount Database
$ vault secrets enable databasee
$ vault kv put database/config/postgresql \
plugin_name=postgresql-database-plugin \
allowed_roles="db-readonly, db-readwrite, db-dba" \
connection_url="postgresql://vault:vault@172.17.0.2:5432/postgres?sslmode=disable"
$ vault kv put database/roles/db-readonly \
db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
renew_statements="ALTER ROLE \"{{name}}\" PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"
default_ttl="1h" \
max_ttl="24h"
$ vault kv put database/roles/db-readwrite \
db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
renew_statements="ALTER ROLE \"{{name}}\" PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"
default_ttl="1h" \
max_ttl="24h"
$ vault kv put database/roles/db-dba \
db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH SUPERUSER LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
renew_statements="ALTER ROLE \"{{name}}\" PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"
default_ttl="1h" \
max_ttl="24h"
Output
[~/Git/Vault-Presentation] vault secrets enable database
Success! Enabled the database secrets engine at: database/
[~/Git/Vault-Presentation] vault kv put database/config/postgresql \
> plugin_name=postgresql-database-plugin \
> allowed_roles="db-readonly, db-readwrite, db-dba" \
> connection_url="postgresql://vault:vault@172.17.0.2:5432/postgres?sslmode=disable"
WARNING! The following warnings were returned from Vault:
* Password found in connection_url, use a templated url to enable root
rotation and prevent read access to password information.
[~/Git/Vault-Presentation] vault kv put database/roles/db-readonly \
> db_name=postgresql \
> creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \> GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
> revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
> renew_statements="ALTER ROLE \"{{name}}\" PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"> default_ttl="1h" \
> max_ttl="24h"
Success! Data written to: database/roles/db-readonly
[~/Git/Vault-Presentation] vault kv put database/roles/db-readwrite \
> db_name=postgresql \
> creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \> GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
> revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
> renew_statements="ALTER ROLE \"{{name}}\" PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"> default_ttl="1h" \
> max_ttl="24h"
Success! Data written to: database/roles/db-readwrite
[~/Git/Vault-Presentation] vault kv put database/roles/db-dba \
> db_name=postgresql \
> creation_statements="CREATE ROLE \"{{name}}\" WITH SUPERUSER LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"> revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
> renew_statements="ALTER ROLE \"{{name}}\" PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"> default_ttl="1h" \
> max_ttl="24h"
Success! Data written to: database/roles/db-dba
Create Policy
$ vault kv put sys/policy/db-readonly policy=@./policy/db-readonly.hcl
$ vault kv put sys/policy/db-readwrite policy=@./policy/db-readwrite.hcl
$ vault kv put sys/policy/db-dba policy=@./policy/db-dba.hcl
Output
[~/Git/Vault-Presentation/policy] vault kv put sys/policy/db-readonly rules=@./policy/db-readonly.hcl
Success! Data written to: sys/policy/db-readonly
[~/Git/Vault-Presentation/policy] vault kv put sys/policy/db-readwrite rules=@./policy/db-readwrite.hcl
Success! Data written to: sys/policy/db-readwrite
[~/Git/Vault-Presentation/policy] vault kv put sys/policy/db-dba rules=@./policy/db-dba.hcl
Success! Data written to: sys/policy/db-dba
$ vault login
$ vault kv get database/creds/db-readonly
Output
[~/Git/Vault-Presentation] vault login
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token 247e794b-69bc-63a3-de4c-deeacfc47e3c
token_accessor c597fca1-4d01-6de9-d1a6-68a24de34293
token_duration ∞
token_renewable false
token_policies [root]
[~/Git/Vault-Presentation] vault kv get database/creds/db-readonly
====== Data ======
Key Value
--- -----
password A1a-4zs7w06tz79r2r8r
username v-token-db-reado-v7s5471r2vxu6465stt9-1527075695
PostgreSQL Roles
postgres=# \du
List of roles
Role name | Attributes | Member of
--------------------------------------------------+------------------------------------------------------------+-----------
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
v-root-db-reado-9q5qzr86z9wutr7w3ppp-1527075188 | Password valid until 2018-06-24 07:33:13-04 | {}
v-root-db-reado-w100w44w8xq3p02rz85s-1527075118 | Password valid until 2018-06-24 07:32:03-04 | {}
v-root-db-reado-x64tpwzxr1qs48z13964-1527074949 | Password valid until 2018-06-24 07:29:14-04 | {}
v-token-db-reado-v7s5471r2vxu6465stt9-1527075695 | Password valid until 2018-06-24 07:41:40-04 | {}
vault | Superuser | {}