In this tutorial we will use Vault API to create a user and allow that user to write/read key/value pairs from a given path.
Related Posts:
- Setup a Vault Server on Docker
- Getting Started with the Vault CLI
- Use the S3 Storage Backend to Persist Data
- Create Secrets with Vaults Transit Secret Engine
Credentials / Authentication
Export Vault Root Tokens:
1 2 |
|
Check the vault status:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
Do a lookup for the root user:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
|
Create the Roles
Create the AppRole:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
|
Create the test policy:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
Attach the policy to the approle:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
|
Enable the kv store:
1
|
|
Create the User Credentials
Get the role_id:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
Create the secret_id:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
Create the token with the role_id and secret_id:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
|
Create KV Pairs with New User
Export the user auth with the received token:
1 2 |
|
Verify if you can lookup your own info:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
|
Create a KV pair:
1
|
|
Read the secret from KV pair:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
Try to write outside the allowed path:
1 2 |
|