Instalasi dan Konfigurasi VAULT – Secret & Credential Management Server
INSTALASI VAULT
Install package yang dibutuhkan
# yum -y update && yum -y wget nano mlocate
cari di https://vaultproject.io/downloads.html
# wget https://dl.bintray.com/mitchellh/vault/vault_0.3.1_linux_amd64.zip
buat folder Vault
# mkdir vault
pindahkan file hasil download ke folder Vault
# mv vault_0.3.1_linux_amd64.zip vault
masuk ke folder Vault
# cd vault
extract file Vault
# tar cf vault_0.3.1_linux_amd64.zip
copy file vault ke /usr/local/bin
# cp vault /usr/local/bin
buat file konfigurasi Vault
# nano kantor.conf
copy file ini ke kantor.conf
backend "file" {path="vault"}
listener "tcp" {address="0.0.0.0:8200" tls_disable=1}
jalankan server Vault, Tips: gunakan Screen
# vault server -config=/home/kantor/vault/kantor.conf
jalankan atau simpan addressnya ke .bash_profile
# export VAULT_ADDR='http://0.0.0.0:8200'
atau jadikan program berjalan otomatis setelah restart, masukkan ke /etc/rc.d/rc.local
export VAULT_ADDR='http://0.0.0.0:8200'
/usr/bin/vault server -config=/home/vault/kantor.conf
/usr/bin/vault auth 127c5bf8-ff00-31e9-970c-ff8fb4454xxx
/usr/bin/vault audit-enable file path=/var/log/vault.log
jalankan server Vault, Tips: gunakan Screen
# vault init
Key 1: 600975db5c7e38650062c2d93cc843367bbafc9746b1b371f94340fe1f9c0c2xxx
Key 2: 54a174cb6e79ada6d6da09890fc0a39222f4a59d7fea64fa82ac84e1b03594dxxx
Key 3: 8604a6438ce5b5cdd87e619f5356c455a519bdf32cc785014410823c4fab66dxxx
Key 4: 1addb1023919e3a698d920f0cfeb0ec25a99b9e7dcc0af28f699cc2ba22c484xxx
Key 5: c878638adb85fbcd967d48e6937d6905dd74a1898fed4ed33025caf65db2ba4xxx
Initial Root Token: 2a4130d6-964f-acfb-014f-3c91aa42dxxx
Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the Vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.
Vault does not store the master key. Without at least 3 keys,
your Vault will remain permanently sealed.
cek Vault
# vault status; ps ax|grep vault
PENGGUNAAN
login vault
# vault auth 2a4130d6-964f-acfb-014f-3c91aa42dxxx
simpan secret
# vault write secret/kantor username=kantor password=apasaja domain=vault.kantor.co.id
Success! Data written to: secret/kantor
simpan secret dengan tambahan key lain
# vault write secret/kantor password=apasaja keterangan="passwordnya kantor"
Success! Data written to: secret/kantor
baca secret
# vault read secret/kantor
$ vault read secret/kantor
Key Value
lease_id secret/kantor/8fe1128a-c25a-6a05-4409-ed12e4ac7xxx
lease_duration 2592000
password apasaja
keterangan passwordnya kantor
hapus secret
# vault delete secret/kantor
Success! Deleted 'secret/kantor'
Backend seperti folder atau media atau file system yang dimounted
create backend generic
# vault mount generic
Successfully mounted 'generic' at 'generic'!
cek Backend yang ada
# vault mounts
Path Type Description
generic/ generic
secret/ generic generic secret storage
sys/ system system endpoints used for control, policy and debugging
hapus Backend = menghapus secret (datanya)
# vault unmount generic
Successfully unmounted 'generic/'!
Authentication menyiapkan login dengan Token sebagai identifikasinya
membuat Token
# vault token-create
e0760b10-9cdb-ec78-39e2-480b4b806xxx
hapus Token
# vault token-revoke e0760b10-9cdb-ec78-39e2-480b4b806xxx
login menggunakan Token
# vault auth 8c40f7b4-1380-8a33-8d3b-5efd2dddfxxx
Successfully authenticated! The policies that are associated
with this token are listed below:
root
Access User List (ACL), menetapkan hak user agar bisa Read, Write, Deny pada backend dengan menggunakan Policy di file .hcl.
lihat Policy
# vault policies
root
contoh Policy ACL yang disampan sebagail iqbal.hcl
path "secret/kantor/devops/iqbal" {policy="write"}
path "secret/kantor/devops/iqbal/*" {policy="write"}
path "auth/token/lookup-self" {policy="read"}
Policy menolak (Deny) ke Backend sys/, tapi Policy bisa menulis ke Backend secret/ dan hanya Policy bisa membaca pada Backend auth/token/lookup-self.
jika Policy tidak disebutkan, maka akan menolak (default Deny).
Vault defaults to deny when not specified.
menetapkan policy Write pada backend secret dengan user iqbal.
# vault policy-write iqbal iqbal.hcl
Policy 'iqbal' written.
tambah Policy lagi dengan user andri
# vault policy-write andri andri.hcl
Policy 'andri' written.
lihat daftar Policy
# vault policies
iqbal
andri
root
hapus Policy
# vault policy-delete andri
Policy 'andri' deleted.
tetapkan Token dengan Policy untuk user iqbal
# vault token-create -policy="iqbal"
3c183cf2-822a-29de-ece2-393f9d964xxx
login dengan user iqbal
# vault auth 3c183cf2-822a-29de-ece2-393f9d964xxx
Successfully authenticated! The policies that are associated
with this token are listed below:
iqbal
menuliskan secret dan hanya bisa dibaca oleh user sesuai ACL:
# vault write secret/kantor/devops/iqbal nama=iqbal team=devops [email protected]
Success! Data written to: secret/kantor/devops/iqbal
ketika token digunakan untuk membaca secret lain
# vault write secret/kantor/devops/andri nanya=lagi ngapain?
Error writing data to secret/kantor/devops/andri: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/secret/kantor/devops/andri
Code: 400. Errors:
* permission denied
BACKEND = Media atau Folder > Mount
AUTHENTICATION = User atau Login > Token
ACL > Policy