Show how dynamic secrets in Vault work.
This setup consists of:
- An instance running Vault.
- An instance running MySQL.
- Have a Digital Ocean API key saved in an environment variable
TF_VAR_do_token
. - Have Terraform installed.
- Have Ansible installed.
Download Ansible roles:
anible-galaxy install -r roles/requirements.yml -f
Now you can start the machines and configure them:
./playbook.yml
cd terraform ; terraform output
export VAULT_IP=w.x.y.z
export MYSQL_IP=v.w.x.y
export VAULT_ADDR=http://${VAULT_IP}:8200
The value for VAULT_IP
and MYSQL_IP
can be found using:
cd terraform
terraform output
vault login
The token is saved in group_vars/vault/vault-unseal.yml
.
vault secrets enable database
vault write database/config/my-mysql-database \
plugin_name=mysql-database-plugin \
connection_url="{{username}}:{{password}}@tcp(${MYSQL_IP}:3306)/" \
allowed_roles="my-role" \
username="vault" \
password="VAULTvault"
vault write database/roles/my-role \
db_name=my-mysql-database \
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
default_ttl="1h" \
max_ttl="24h"
vault read database/creds/my-role
Here is an exemplary output:
Key Value
--- -----
lease_id database/creds/my-role/9yVEkp4GoGBmNK09jciSh6C8
lease_duration 1h
lease_renewable true
password XBz-3mSrHF9Bdfysj9JV
username v-root-my-role-4fFsckJnXCrpBxEBt
dnf install mysql
mysql -u {{ USERNAME_AS_VAULT_REPORTED }} -p{{ PASSWORD_AS_VAULT_REPORTED }} -h ${MYSQL_IP}
mysql show databases;
cd terraform
terraform destroy