Vault/Install:修订间差异
跳到导航
跳到搜索
此页面具有访问限制。如果您看见此消息,则说明您没有权限访问此页面。
(→AWS) |
(→AWS) |
||
第34行: | 第34行: | ||
使用<code>SYMMETRIC_DEFAULT</code>即可。 | 使用<code>SYMMETRIC_DEFAULT</code>即可。 | ||
==== IAM ==== | |||
掛入對應的Inline Policy <code>Policy-Vault-DynamoDB</code>: | |||
<syntaxhighlight lang="json"> | |||
{ | |||
"Version": "2012-10-17", | |||
"Statement": [ | |||
{ | |||
"Sid": "VisualEditor0", | |||
"Effect": "Allow", | |||
"Action": [ | |||
"dynamodb:BatchGetItem", | |||
"dynamodb:BatchWriteItem", | |||
"dynamodb:PutItem", | |||
"dynamodb:DescribeTable", | |||
"dynamodb:DeleteItem", | |||
"dynamodb:GetItem", | |||
"dynamodb:Scan", | |||
"dynamodb:ListTagsOfResource", | |||
"dynamodb:Query", | |||
"dynamodb:UpdateItem", | |||
"dynamodb:DescribeTimeToLive", | |||
"dynamodb:GetRecords" | |||
], | |||
"Resource": [ | |||
"arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/stream/*", | |||
"arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/index/*", | |||
"arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault" | |||
] | |||
}, | |||
{ | |||
"Sid": "VisualEditor1", | |||
"Effect": "Allow", | |||
"Action": [ | |||
"dynamodb:DescribeReservedCapacityOfferings", | |||
"dynamodb:ListTables", | |||
"dynamodb:DescribeReservedCapacity", | |||
"dynamodb:DescribeLimits" | |||
], | |||
"Resource": "*" | |||
} | |||
] | |||
} | |||
</syntaxhighlight> | |||
以及<code>Policy-Vault-KMS</code>: | |||
<syntaxhighlight lang="json"> | |||
{ | |||
"Version": "2012-10-17", | |||
"Statement": [ | |||
{ | |||
"Sid": "VisualEditor0", | |||
"Effect": "Allow", | |||
"Action": [ | |||
"kms:Decrypt", | |||
"kms:Encrypt", | |||
"kms:DescribeKey" | |||
], | |||
"Resource": "arn:aws:kms:ap-southeast-1:123456789012:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" | |||
} | |||
] | |||
} | |||
</syntaxhighlight> | |||
=== /etc/vault.d/vault.hcl === | === /etc/vault.d/vault.hcl === |
2020年7月15日 (三) 08:26的版本
Vault是一套由HashiCorp开发的密码管理软件。
概要
Vault可以拿来存放各类credential资料,像是Key或是Password。
安装
Vault是单执行档,建议安装的路径是/usr/local/bin/vault
,这点没有在官方的文件里提到,但官方的范例常使用这个路径[1]。
以Linux版的例子来说:
cd /tmp; wget -c https://releases.hashicorp.com/vault/1.4.3/vault_1.4.3_linux_amd64.zip; unzip vault_1.4.3_linux_amd64.zip; sudo cp vault /usr/local/bin/vault; sudo chmod 755 /usr/local/bin/vault
设定
这边是设定成:
- 使用AWS KMS加解密。
- 使用Amazon DynamoDB当作储存空间。
AWS
DynamoDB
依照官方的建议:
- Primary partition key设为
Path
(string)。 - Primary sort key设为
Key
(string)。
KMS
使用SYMMETRIC_DEFAULT
即可。
IAM
挂入对应的Inline Policy Policy-Vault-DynamoDB
:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:DescribeTable",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ListTagsOfResource",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:DescribeTimeToLive",
"dynamodb:GetRecords"
],
"Resource": [
"arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/stream/*",
"arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault/index/*",
"arn:aws:dynamodb:ap-southeast-1:123456789012:table/vault"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"dynamodb:DescribeReservedCapacityOfferings",
"dynamodb:ListTables",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeLimits"
],
"Resource": "*"
}
]
}
以及Policy-Vault-KMS
:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:ap-southeast-1:123456789012:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
]
}
/etc/vault.d/vault.hcl
Vault的设定档建议的路径是/etc/vault.d/vault.hcl
,这点没有在官方的文件里提到,但官方的范例常使用这个路径[1]。
api_addr = "http://10.10.10.10:8200"
cluster_addr = "http://10.10.10.10:8201"
log_level = "Info"
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "10.10.10.10:8201"
tls_disable = "true"
}
seal "awskms" {
region = "ap-southeast-1"
access_key = "x"
secret_key = "x"
kms_key_id = "x"
}
storage "dynamodb" {
ha_enabled = "true"
region = "ap-southeast-1"
table = "vault"
access_key = "x"
secret_key = "x"
}
参考文献
- ↑ 1.0 1.1 Vault Deployment Guide. [2020-07-15] (English).
外部链接
- 官方网站 (英文)