This repo contains a file storage based Vault single server in AWS.
_ THIS IS NOT FOR PRODUCTION _
- Deply Vault with Auto Uneal
- Deploy Vault Database Secrets Engine to manage Postgres RDS instances
- Database Root Credential Password Rotation with Vault
- Set this location as your working directory
- Set your AWS credentials as environment variables:
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
- Set option variables by renaming
terraform.tfvars.example
toterraform.tfvars
and edit the values to your needs. - Grab the latest version of [Terraform https://www.terraform.io/downloads.html] (https://www.terraform.io/downloads.html)
$ terraform init
$ terraform plan
$ terraform apply
- Look in the terraform output for the server ssh info
$ssh -i private.key ubuntu@<IP_ADDRESS>
$ vault status
$ cat /opt/vault/setup/vault.unseal.info
$ vault login <INITIAL_ROOT_TOKEN>
Run the scipt /opt/vault/nginx_demo.sh
$ vault login <INITIAL_ROOT_TOKEN>
$ vault read database/creds/admin-role
$ psql -h <YOUR_AMAZON_PUBILC_DNS> -d proddb -U
USERNAME -W
SELECT u.usename AS "Role name",
CASE WHEN u.usesuper AND u.usecreatedb THEN CAST('superuser, create
database' AS pg_catalog.text)
WHEN u.usesuper THEN CAST('superuser' AS pg_catalog.text)
WHEN u.usecreatedb THEN CAST('create database' AS
pg_catalog.text)
ELSE CAST('' AS pg_catalog.text)
END AS "Attributes"
FROM pg_catalog.pg_user u
ORDER BY 1;
$ vault login
$ vault write transit/encrypt/orders plaintext=$(base64 <<< "4111 1111 1111 1111")
$ vault write transit/decrypt/orders ciphertext=“CIPHER"
$ base64 -d <<< <RESULTOFABOVE>
THIS IS IN THE OUTPUT OF TERRAFORM
$ sudo curl -o /etc/ssh/trusted-user-ca-keys.pem http://54.176.94.52:8200/v1/ssh-client-signer/public_key
or
$ sudo su -
$ VAULT_ADDR=http://54.176.94.52:8200 vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem
$ sudo vi /etc/ssh/sshd_config
# ...
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
$ sudo systemctl restart sshd
$ ssh-keygen -t rsa -C "ubuntu"
$ vault login
$ vault write ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub
$ vault write -field=signed_key ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub > signed-cert.pub
$ ssh -i signed-cert.pub -i ~/.ssh/id_rsa ubuntu@13.57.195.23
Host bastion
Hostname <BASTION_HOST>
IdentityFile ~/.ssh/id_rsa
CertificateFile ~/.ssh/signed-cert.pub
User ubuntu
Host <SSH_HOST>
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -F uname bastion nc %h %p
User ubuntu
$ ssh -i signed-cert.pub -i ~/.ssh/id_rsa ubuntu@<YOUR_AWS_HOST>
$ terraform destroy -force
$ rm -rf .terraform terraform.tfstate*