dynamic secret是在访问时生成的,也就是说 dynamic secret 在被读取之前是不存在的,因此没有人窃取它们或其他客户使用相同机密的风险。同时因为Vault具有内置的吊销机制,所以dynamic secret可以在使用后立即吊销,从而将机密存在的时间减至最少。
官方入门文档中提供了一个 aws engine 的说明
https://learn.hashicorp.com/tutorials/vault/getting-started-dynamic-secrets?in=vault/getting-started
同时提供了
postgres https://learn.hashicorp.com/tutorials/vault/database-secrets?in=vault/secrets-management
mongodb https://learn.hashicorp.com/tutorials/vault/database-mongodb?in=vault/secrets-management
下面是一个 MongoDB的例子
启动一个数据库
docker run -d \
-p 0.0.0.0:27017:27017 -p 0.0.0.0:28017:28017 \
--name=mongodb \
-e MONGO_INITDB_ROOT_USERNAME="mdbadmin" \
-e MONGO_INITDB_ROOT_PASSWORD="hQ97T9JJKZoqnFn2NXE" \
mongo
Configure MongoDB secrets engine
vault write mongodb/config/mongo-test \
plugin_name=mongodb-database-plugin \
allowed_roles="tester" \
connection_url="mongodb://mdbadmin:hQ97T9JJKZoqnFn2NXE@192.168.194.193:27017/admin?tls=false" \
username="mdbadmin" \
password="hQ97T9JJKZoqnFn2NXE"
vault write mongodb/roles/tester \
db_name=mongo-test \
creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
default_ttl="1h" \
max_ttl="24h"
vault read mongodb/creds/tester
Key Value
--- -----
lease_id mongodb/creds/tester/7GPR6sRrPloRvAn5yGzoYPjI
lease_duration 1h
lease_renewable true
password rKzEPbGPw-6mG19-4hKL
username v-root-tester-BNUUEQrC8iyHGRDeK7Bu-1624377059
登录到mongodb查看新用户
docker exec -it mongodb mongo \
--username v-root-tester-BNUUEQrC8iyHGRDeK7Bu-1624377059 \
--password rKzEPbGPw-6mG19-4hKL
show dbs
UI 上的内容
