我使用docker-compose来提供2个服务:vault-agent和vault服务器都使用hashicorp/vault:latest
docker映像在本地计算机上进行开发。我在开发模式下运行vault服务器:vault server -dev
。我以vault agent -log-level debug -config=/helpers/vault-agent.hcl
的形式运行vaul-agent,而vault-agent.hcl
为:
pid_file = "./pidfile"
vault {
address = "https://vault_dev:8200"
retry {
num_retries = 5
}
}
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "/helpers/role_id"
secret_id_file_path = "/helpers/secret_id"
remove_secret_id_file_after_reading = false
}
}
sink "file" {
config = {
path = "/helpers/sink_file"
}
}
}
cache {
use_auto_auth_token = true
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = true
}
我在vault-agent和vaul服务器之间使用approle身份验证,因此运行了以下命令:
vault secrets enable -version=2 kv
vault auth enable approle
vault policy write admin-policy /helpers/admin-policy.hcl
vault write auth/approle/role/dev-role token_policies="admin-policy"
而admin-policy.hcl
是:
# Read system health check
path "sys/health"
{
capabilities = ["read", "sudo"]
}
# Create and manage ACL policies broadly across Vault
# List existing policies
path "sys/policies/acl"
{
capabilities = ["list"]
}
# Create and manage ACL policies
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Enable and manage authentication methods broadly across Vault
# Manage auth methods broadly across Vault
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create, update, and delete auth methods
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
# List auth methods
path "sys/auth"
{
capabilities = ["read"]
}
# Enable and manage the key/value secrets engine at `kv/` path
# List, create, update, and delete key/value secrets
path "kv/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage Entities and Entity alias
path "identity/entity-alias"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity-alias/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage secrets engines
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secrets engines.
path "sys/mounts"
{
capabilities = ["read"]
}
但是,当我从vault-agent容器内部运行vault kv put secret/hello foo=bar
时,出现以下错误:
Error making API request.
URL: GET http://vault_dev:8200/v1/sys/internal/ui/mounts/secret/hello
Code: 403. Errors:
* permission denied
如果我运行export VAULT_TOKEN=root
,然后运行vault kv put secret/hello foo=bar
,它就可以工作了。所以我猜vault-agent和vault服务器之间的通信可以工作了,我也没有看到vault-agent容器中记录的任何错误(只有INFO消息),但我仍然需要一个令牌来对vault-agent执行操作,即使vault-agent的全部作用是将身份验证委托给代理。我遗漏了什么?
2条答案
按热度按时间jhdbpxl91#
此时,您已启用AppRole验证,并为具有绑定到策略的角色的验证创建了AppRole路径。现在,您需要:
来检索
role_id
以推送模式检索
secret_id
,然后检索用于身份验证的令牌。然后,您可以将该令牌用于
vault login
,或将其设置为VAULT_TOKEN
作为环境变量。xbp102n02#
当我尝试在Web UI中运行
vault secrets enable -version=2 kv
这样的命令时,它告诉我有效的命令只有read、write、delete和list