https://developer.hashicorp.com/vault/docs/auth/aws
약 22 분
HashiCorp Learn - Login MFA : https://learn.hashicorp.com/tutorials/vault/multi-factor-authentication
Configure TOTP MFA Method : https://www.vaultproject.io/api-docs/secret/identity/mfa/totp
Vault Login MFA Overview : https://www.vaultproject.io/docs/auth/login-mfa
1.10.3+ recommend : https://discuss.hashicorp.com/t/vault-1-10-3-released/39394
약 5 분
주의
해당 방법은 username/password 방식의 Admin권한의 사용자를 생성하나,
보안상 실 구성에는 권장하지 않습니다.
- userpass 활성화
vault auth enable userpass
약 3 분
별도 Auth Method를 사용하지 않고 Token으로만 사용하는 경우 Token에 대한 role을 생성하여 해당 role의 정의된 설정에 종속된 Token을 생성할 수 있음
- Entity가 발생하므로 Vault Client Count 절약 가능
- 일관된 Token 생성 가능
- Token에 대한 별도 Tune(TTL 조정 등) 가능
절차
-
UI > Access > Entities > [create entity] :
100y-entity -
entity에서 aliases 생성 :
100y-alias -
role 생성 (payload.json)
{ "allowed_policies": [ "my-policy" ], "name": "100y", "orphan": false, "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"], "renewable": true, "allowed_entity_aliases": ["100y-alias"] } -
role 적용
curl -H "X-Vault-Token: hvs.QKRiVmCedA06dCSc2TptmSk1" -X POST --data @payload.json http://127.0.0.1:8200/v1/auth/token/roles/100y -
role에 대한 사용자 정의 tune 적용(옵션)
vault auth tune -max-lease-ttl=876000h token/role/100y vault auth tune -default-lease-ttl=876000h token/role/100y -
tune 적용된 role 확인
$ vault read auth/token/roles/100y Key Value --- ----- allowed_entity_aliases [100y-alias] allowed_policies [default] allowed_policies_glob [] bound_cidrs [127.0.0.1 128.252.0.0/16] disallowed_policies [] disallowed_policies_glob [] explicit_max_ttl 0s name 100y orphan false path_suffix n/a period 0s renewable true token_bound_cidrs [127.0.0.1 128.252.0.0/16] token_explicit_max_ttl 0s token_no_default_policy false token_period 0s token_type default-service -
token 생성
$ vault token create -entity-alias=100y-alias -role=100y Key Value --- ----- token hvs.CAESIIveQyE34VOowkCXj4InopxsQHWXu2iW00UQDDCTb-pIGh4KHGh2cy5UZGJ4MjJic1RjY1BlVGRWVHhzNFgwWW4 token_accessor Cx6qjyUGwqPmqoPNe9tmkCiN token_duration 876000h token_renewable true token_policies ["default"] identity_policies ["default"] policies ["default"] -
token이 role의 구성이 반영되었는지 확인
$ vault token lookup hvs.CAESIIveQyE34VOowkCXj4InopxsQHWXu2iW00UQDDCTb-pIGh4KHGh2cy5UZGJ4MjJic1RjY1BlVGRWVHhzNFgwWW4 Key Value --- ----- accessor Cx6qjyUGwqPmqoPNe9tmkCiN bound_cidrs [127.0.0.1 128.252.0.0/16] creation_time 1651059486 creation_ttl 876000h display_name token entity_id 53fc4716-fc0d-db34-14b8-ab4258f89fb1 expire_time 2122-04-03T20:38:06.73198+09:00 explicit_max_ttl 0s external_namespace_policies map[] id hvs.CAESIIveQyE34VOowkCXj4InopxsQHWXu2iW00UQDDCTb-pIGh4KHGh2cy5UZGJ4MjJic1RjY1BlVGRWVHhzNFgwWW4 identity_policies [default] issue_time 2022-04-27T20:38:06.731984+09:00 meta <nil> num_uses 0 orphan false path auth/token/create/100y policies [default] renewable true role 100y ttl 875999h59m3s type service
약 6 분