태그: kv

사용자별 UI 접근에 대한 설정을 Kv-v2를 예로 확인

Policy 구성

UI 접근을 위해서는 metadata에 대한 권한 추가가 필요함

$ vault policy write ui-kv-policy - << EOF

path "kv-v2/data/path/" {
  capabilities = ["create", "update", "read", "delete", "list"]
}
path "kv-v2/delete/path/" {
  capabilities = ["update"]
}
path "kv-v2/metadata/path/" {
  capabilities = ["list", "read", "delete"]
}
path "kv-v2/destroy/path/" {
  capabilities = ["update"]
}

path "kv-v2/data/path/userid/*" {
  capabilities = ["create", "update", "read", "delete", "list"]
}
path "kv-v2/delete/path/userid/*" {
  capabilities = ["update"]
}
path "kv-v2/metadata/path/userid/*" {
  capabilities = ["list", "read", "delete"]
}
path "kv-v2/destroy/path/userid/*" {
  capabilities = ["update"]
}

# Additional access for UI
path "kv-v2/metadata" {
  capabilities = ["list"]
}
EOF

##### or #####

vault policy write ui-kv-policy - << EOF

path "kv-v2/data/path/userid" {
  capabilities = ["create", "update", "read", "delete", "list"]
}
path "kv-v2/delete/path/userid" {
  capabilities = ["update"]
}
path "kv-v2/metadata/path/userid" {
  capabilities = ["list", "read", "delete"]
}
path "kv-v2/destroy/path/userid" {
  capabilities = ["update"]
}

# Additional access for UI
path "kv-v2/metadata/*" {
  capabilities = ["list"]
}
EOF

약 4 분

jenkins with vault

jenkins와 vault를 연동하여 pipe line에서 kv 사용하기
이 예제는 진짜 kv까지만 테스트함

# approle 엔진 생성
$ vault auth enable approle
# kv2 enable
$ vault secrets enable kv-v2
# kv enable
$ vault secrets enable -path=kv kv

# jenkins 정책으로 될 파일 생성 v1, v2
$ tee jenkins-policy.hcl <<EOF
path "kv/secret/data/jenkins/*" {
  capabilities = [ "read" ]
}
path "kv-v2/data/jenkins/*" {
  capabilities = [ "read" ]
}
EOF

#jenkins 정책 생성
vault policy write jenkins jenkins-policy.hcl

#approle 생성 및 정책 jenkins에 연결
vault write auth/approle/role/jenkins token_policies="jenkins" \
token_ttl=1h token_max_ttl=4h
 
#Role id, secret id 가져오기

vault read auth/approle/role/jenkins/role-id
vault write -f auth/approle/role/jenkins/secret-id


vault secrets enable -path=kv kv
$ tee gitlab.json <<EOF
{
  "gitlabIP": "172.21.2.52",
  "api-key": "RjLAbbWsSAzXoyBvo2qL"
}
EOF

tee gitlab-v2.json <<EOF
{
  "gitlabIP": "172.21.2.52",
  "api-key": "RjLAbbWsSAzXoyBvo2qL",
  "version": "v2"
}
EOF

vault kv put kv/secret/data/jenkins/gitlab @gitlab.json
vault kv put kv-v2/jenkins/gitlab @gitlab-v2.json

약 4 분