Instalasi dan Konfigurasi VAULT – Secret & Credential Management Server

| 21 Oktober 2015 | 0 Comments

INSTALASI VAULT

Install package yang dibutuhkan
# yum -y update && yum -y wget nano mlocate

cari di https://vaultproject.io/downloads.html
# wget https://dl.bintray.com/mitchellh/vault/vault_0.3.1_linux_amd64.zip

buat folder Vault
# mkdir vault

pindahkan file hasil download ke folder Vault
# mv vault_0.3.1_linux_amd64.zip vault

masuk ke folder Vault
# cd vault

extract file Vault
# tar cf vault_0.3.1_linux_amd64.zip

copy file vault ke /usr/local/bin
# cp vault /usr/local/bin

buat file konfigurasi Vault
# nano kantor.conf

copy file ini ke kantor.conf
backend "file" {path="vault"}
listener "tcp" {address="0.0.0.0:8200" tls_disable=1}

jalankan server Vault, Tips: gunakan Screen
# vault server -config=/home/kantor/vault/kantor.conf

jalankan atau simpan addressnya ke .bash_profile
# export VAULT_ADDR='http://0.0.0.0:8200'

atau jadikan program berjalan otomatis setelah restart, masukkan ke /etc/rc.d/rc.local
export VAULT_ADDR='http://0.0.0.0:8200'
/usr/bin/vault server -config=/home/vault/kantor.conf
/usr/bin/vault auth 127c5bf8-ff00-31e9-970c-ff8fb4454xxx
/usr/bin/vault audit-enable file path=/var/log/vault.log

jalankan server Vault, Tips: gunakan Screen
# vault init

Key 1: 600975db5c7e38650062c2d93cc843367bbafc9746b1b371f94340fe1f9c0c2xxx
Key 2: 54a174cb6e79ada6d6da09890fc0a39222f4a59d7fea64fa82ac84e1b03594dxxx
Key 3: 8604a6438ce5b5cdd87e619f5356c455a519bdf32cc785014410823c4fab66dxxx
Key 4: 1addb1023919e3a698d920f0cfeb0ec25a99b9e7dcc0af28f699cc2ba22c484xxx
Key 5: c878638adb85fbcd967d48e6937d6905dd74a1898fed4ed33025caf65db2ba4xxx
Initial Root Token: 2a4130d6-964f-acfb-014f-3c91aa42dxxx

Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the Vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.

Vault does not store the master key. Without at least 3 keys,
your Vault will remain permanently sealed.

cek Vault
# vault status; ps ax|grep vault

PENGGUNAAN
login vault
# vault auth 2a4130d6-964f-acfb-014f-3c91aa42dxxx

simpan secret
# vault write secret/kantor username=kantor password=apasaja domain=vault.kantor.co.id

Success! Data written to: secret/kantor

simpan secret dengan tambahan key lain
# vault write secret/kantor password=apasaja keterangan="passwordnya kantor"

Success! Data written to: secret/kantor

baca secret
# vault read secret/kantor

$ vault read secret/kantor
Key             Value
lease_id        secret/kantor/8fe1128a-c25a-6a05-4409-ed12e4ac7xxx
lease_duration  2592000
password apasaja
keterangan  passwordnya kantor

hapus secret
# vault delete secret/kantor

Success! Deleted 'secret/kantor'

Backend seperti folder atau media atau file system yang dimounted
create backend generic
# vault mount generic

Successfully mounted 'generic' at 'generic'!

cek Backend yang ada
# vault mounts

Path      Type     Description
generic/  generic
secret/   generic  generic secret storage
sys/      system   system endpoints used for control, policy and debugging

hapus Backend = menghapus secret (datanya)
# vault unmount generic

Successfully unmounted 'generic/'!

Authentication menyiapkan login dengan Token sebagai identifikasinya
membuat Token
# vault token-create

e0760b10-9cdb-ec78-39e2-480b4b806xxx

hapus Token
# vault token-revoke e0760b10-9cdb-ec78-39e2-480b4b806xxx

login menggunakan Token
# vault auth 8c40f7b4-1380-8a33-8d3b-5efd2dddfxxx

Successfully authenticated! The policies that are associated
with this token are listed below:

root

Access User List (ACL), menetapkan hak user agar bisa Read, Write, Deny pada backend dengan menggunakan Policy di file .hcl.
lihat Policy
# vault policies

root

contoh Policy ACL yang disampan sebagail iqbal.hcl
path "secret/kantor/devops/iqbal" {policy="write"}
path "secret/kantor/devops/iqbal/*" {policy="write"}
path "auth/token/lookup-self" {policy="read"}

Policy menolak (Deny) ke Backend sys/, tapi Policy bisa menulis ke Backend secret/ dan hanya Policy bisa membaca pada Backend auth/token/lookup-self.
jika Policy tidak disebutkan, maka akan menolak (default Deny).
Vault defaults to deny when not specified.

menetapkan policy Write pada backend secret dengan user iqbal.
# vault policy-write iqbal iqbal.hcl

Policy 'iqbal' written.

tambah Policy lagi dengan user andri
# vault policy-write andri andri.hcl

Policy 'andri' written.

lihat daftar Policy
# vault policies

iqbal
andri
root

hapus Policy
# vault policy-delete andri

Policy 'andri' deleted.

tetapkan Token dengan Policy untuk user iqbal
# vault token-create -policy="iqbal"

3c183cf2-822a-29de-ece2-393f9d964xxx

login dengan user iqbal
# vault auth 3c183cf2-822a-29de-ece2-393f9d964xxx

Successfully authenticated! The policies that are associated
with this token are listed below:

iqbal

menuliskan secret dan hanya bisa dibaca oleh user sesuai ACL:
# vault write secret/kantor/devops/iqbal nama=iqbal team=devops [email protected]
Success! Data written to: secret/kantor/devops/iqbal

ketika token digunakan untuk membaca secret lain
# vault write secret/kantor/devops/andri nanya=lagi ngapain?
Error writing data to secret/kantor/devops/andri: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/secret/kantor/devops/andri
Code: 400. Errors:

* permission denied

BACKEND = Media atau Folder > Mount
AUTHENTICATION = User atau Login > Token
ACL > Policy

Tags: , , , , , ,

Category: CentOS, Kerjaan, Unix

Leave a Reply