An enviroment to play with Hashicorp Vault & learn it in depth
- Start the docker containers
docker compose up -d- Run the migration scripts
make migrate- Start vault in insecure mode
make vault- Set vault address in shell (On TLS use
https)
export VAULT_ADDR=http://127.0.0.1:8200- Enable role path in vault
vault auth enable approle- Create role for app
make role-create- Set role policy
make policy-create- Set database dsn secret
make dns-create- Run the app
make run- Get user orders
curl -q http://localhost:8080/order/101 | jq- Create directory
./vault/data
mkdir -p ./vault/data- Start server
sudo make vault-prod- Init the server
vault operator init- Unseal the server using 3 secrets, Secrets can be found in the output of the 3rd command
vault operator unseal- Login to the server, Token can be found in the output of the 3rd command
vault loginBefore we start make sure vault is up and running
- Create a role for vault in postgres db
docker exec -i db psql -U postgres -c "CREATE ROLE \"vault-ro\" NOINHERIT;"- Grant the ability to read all tables to vault role
docker exec -i db psql -U postgres -c "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"vault-ro\";"- Enable database secrets engine
vault secrets enable database- Create database configuration in vault
make vault-db- Create database role in vault
make db-role-create- Get sample database credentials
vault read database/creds/readonly- Check the database credentials in postgres
docker exec -i \
db \
psql -U postgres -c "SELECT usename, valuntil FROM pg_user;"- Read secrets from Vault
- Write secrets to Vault
- Connect to databse with secrets from Vault
- Create approle, policy for application
- Create a vault client with approle
- Read secrets from vault with approle policies
- Run vault in production mode
- Link vault with postgres
- Create/Read dynamic secrets