Vault KV Secrets Engine – Version 2
以下两种方式都可以打开 kv engine
vault secrets enable -version=2 kv
vault secrets enable kv-v2
直接put 会出现403权限不足
/tmp $ vault kv put secret/hello foo=world
Error making API request.
URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret/hello
Code: 403. Errors:
* preflight capability check returned 403, please ensure client's policies grant access to path "secret/hello/"
/tmp $
启用AppRole身份验证
vault auth enable approle
创建 policy.hcl
/tmp $ cat policy.hcl
path "kv/helloworld/*" {
capabilities = [ "create", "read", "delete" ]
}
/tmp $
使用 hcl文件创建权限
vault policy write helloworld-policy ./policy.hcl
/tmp $ export VAULT_TOKEN=s.YIhdm8s9jMRqCqgUP00YyJjI
/tmp $ cat policy.hcl
path "kv/helloworld/*" {
capabilities = [ "create", "read", "delete" ]
}
/tmp $ vault policy write helloworld-policy ./policy.hcl
Success! Uploaded policy: helloworld-policy
/tmp $
/tmp $ vault policy list
default
helloworld-policy
root
/tmp $
/tmp $ vault policy read helloworld-policy
path "kv/helloworld/*" {
capabilities = [ "create", "read", "delete" ]
}
/tmp $
测试写入
/tmp $ vault kv put kv/helloworld foo=world
Key Value
--- -----
created_time 2021-06-22T06:59:38.416440707Z
deletion_time n/a
destroyed false
version 1
/tmp $
/tmp $ vault kv put kv/helloworld/test test=testvalue
Key Value
--- -----
created_time 2021-06-22T07:00:04.372497077Z
deletion_time n/a
destroyed false
version 1
/tmp $
测试 get
vault kv put kv/helloworld foo=world
测试删除
vault kv delete kv/helloworld/test