An enviroment to play with Hashicorp Vault & learn it in depth
- Start the docker containers
docker compose up -d
- Run the migration scripts
make migrate
- Start vault in insecure mode
make vault
- Set vault address in shell (On TLS use
https
)
export VAULT_ADDR=http://127.0.0.1:8200
- Enable role path in vault
vault auth enable approle
- Create role for app
make role-create
- Set role policy
make policy-create
- Set database dsn secret
make dns-create
- Run the app
make run
- Get user orders
curl -q http://localhost:8080/order/101 | jq
- Create directory
./vault/data
mkdir -p ./vault/data
- Start server
sudo make vault-prod
- Init the server
vault operator init
- Unseal the server using 3 secrets, Secrets can be found in the output of the 3rd command
vault operator unseal
- Login to the server, Token can be found in the output of the 3rd command
vault login
Before we start make sure vault is up and running
- Create a role for vault in postgres db
docker exec -i db psql -U postgres -c "CREATE ROLE \"vault-ro\" NOINHERIT;"
- Grant the ability to read all tables to vault role
docker exec -i db psql -U postgres -c "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"vault-ro\";"
- Enable database secrets engine
vault secrets enable database
- Create database configuration in vault
make vault-db
- Create database role in vault
make db-role-create
- Get sample database credentials
vault read database/creds/readonly
- Check the database credentials in postgres
docker exec -i \
db \
psql -U postgres -c "SELECT usename, valuntil FROM pg_user;"
- Read secrets from Vault
- Write secrets to Vault
- Connect to databse with secrets from Vault
- Create approle, policy for application
- Create a vault client with approle
- Read secrets from vault with approle policies
- Run vault in production mode
- Link vault with postgres
- Create/Read dynamic secrets