Défaut
Copier toutes les commandes
Générer PDF
HashiCorp complet Commandes et workflows Vault pour la gestion des secrets, le chiffrement et l'accès sécurisé aux données sensibles.
Installation et configuration
| Command |
Description |
vault version |
Show Vault version |
vault server -dev |
Start development server |
vault server -config=config.hcl |
Start with configuration file |
vault status |
Check server status |
Authentification & Connexion
Authentification de base
| Command |
Description |
vault auth -method=userpass username=myuser |
Login with username/password |
vault auth -method=ldap username=myuser |
Login with LDAP |
vault auth -method=github token=mytoken |
Login with GitHub |
vault auth -method=aws |
Login with AWS IAM |
vault auth -method=kubernetes |
Login with Kubernetes |
Gestion des jetons
| Command |
Description |
vault token create |
Create new token |
vault token create -ttl=1h |
Create token with TTL |
vault token lookup |
Look up current token |
vault token renew |
Renew current token |
vault token revoke TOKEN |
Revoke specific token |
Gestion des secrets
Secrets de valeur clé (v2)
| Command |
Description |
vault kv put secret/myapp username=admin password=secret |
Store secret |
vault kv get secret/myapp |
Retrieve secret |
vault kv get -field=password secret/myapp |
Get specific field |
vault kv delete secret/myapp |
Delete secret |
vault kv list secret/ |
List secrets |
vault kv metadata get secret/myapp |
Get metadata |
Versions secrètes
| Command |
Description |
vault kv put secret/myapp @data.json |
Store from JSON file |
vault kv get -version=2 secret/myapp |
Get specific version |
vault kv rollback -version=1 secret/myapp |
Rollback to version |
vault kv destroy -versions=2,3 secret/myapp |
Destroy versions |
vault kv undelete -versions=2 secret/myapp |
Undelete versions |
Moteur des secrets de base de données
Configuration de la base de données
| Command |
Description |
vault secrets enable database |
Enable database engine |
vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="\\{\\{username\\}\\}:\\{\\{password\\}\\}@tcp(localhost:3306)/" allowed_roles="my-role" username="vaultuser" password="vaultpass" |
Configure MySQL |
vault write database/roles/my-role db_name=my-mysql-database creation_statements="CREATE USER '\\{\\{name\\}\\}'@'%' IDENTIFIED BY '\\{\\{password\\}\\}';GRANT SELECT ON *.* TO '\\{\\{name\\}\\}'@'%';" default_ttl="1h" max_ttl="24h" |
Create role |
Pouvoirs dynamiques
| Command |
Description |
vault read database/creds/my-role |
Generate database credentials |
vault write database/rotate-root/my-mysql-database |
Rotate root credentials |
ICP (Infrastructure à clé publique)
Configuration de l'ICP
| Command |
Description |
vault secrets enable pki |
Enable PKI engine |
vault secrets tune -max-lease-ttl=87600h pki |
Set max TTL |
vault write pki/root/generate/internal common_name=example.com ttl=87600h |
Generate root CA |
vault write pki/config/urls issuing_certificates="http://vault.example.com:8200/v1/pki/ca" crl_distribution_points="http://vault.example.com:8200/v1/pki/crl" |
Configure URLs |
Gestion des certificats
| Command |
Description |
vault write pki/roles/example-dot-com allowed_domains=example.com allow_subdomains=true max_ttl=72h |
Create role |
vault write pki/issue/example-dot-com common_name=test.example.com |
Issue certificate |
vault write pki/revoke serial_number=39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58 |
Revoke certificate |
Moteur AWS Secrets
Configuration AWS
| Command |
Description |
vault secrets enable aws |
Enable AWS engine |
vault write aws/config/root access_key=AKIAI... secret_key=R4nm... |
Configure root credentials |
vault write aws/roles/my-role credential_type=iam_user policy_document=-<<EOF \\{...\\} EOF |
Create IAM role |
Pouvoirs
| Command |
Description |
vault read aws/creds/my-role |
Generate AWS credentials |
vault write aws/sts/my-role ttl=15m |
Generate STS credentials |
Moteur des secrets de transit
Configuration du chiffrement
| Command |
Description |
vault secrets enable transit |
Enable transit engine |
vault write transit/keys/my-key type=aes256-gcm96 |
Create encryption key |
vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data") |
Encrypt data |
vault write transit/decrypt/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w== |
Decrypt data |
Gestion des clés
| Command |
Description |
vault write transit/keys/my-key/rotate |
Rotate encryption key |
vault read transit/keys/my-key |
Read key information |
vault write transit/rewrap/my-key ciphertext=vault:v1:... |
Rewrap with latest key |
Politiques
Gestion des politiques
| Command |
Description |
vault policy write my-policy policy.hcl |
Create/update policy |
vault policy read my-policy |
Read policy |
vault policy list |
List all policies |
vault policy delete my-policy |
Delete policy |
Exemple de politique
# Read operation on the k/v secrets
path "secret/data/*" \\\\{
capabilities = ["read"]
\\\\}
# Write operation on the k/v secrets
path "secret/data/myapp/*" \\\\{
capabilities = ["create", "update"]
\\\\}
# Deny all access to secret/admin
path "secret/data/admin" \\\\{
capabilities = ["deny"]
\\\\}
Méthodes
Activer les méthodes d'auth
| Command |
Description |
vault auth enable userpass |
Enable username/password |
vault auth enable ldap |
Enable LDAP |
vault auth enable github |
Enable GitHub |
vault auth enable aws |
Enable AWS IAM |
vault auth enable kubernetes |
Enable Kubernetes |
| Command |
Description |
vault write auth/userpass/users/myuser password=mypass policies=my-policy |
Create user |
vault write auth/ldap/config url="ldap://ldap.example.com" userdn="ou=Users,dc=example,dc=com" |
Configure LDAP |
vault write auth/github/config organization=myorg |
Configure GitHub |
Comptabilisation des audits
Activer les appareils de vérification
| Command |
Description |
vault audit enable file file_path=/vault/logs/audit.log |
Enable file audit |
vault audit enable syslog |
Enable syslog audit |
vault audit list |
List audit devices |
vault audit disable file/ |
Disable audit device |
Haute disponibilité et regroupement
Opérations des groupes thématiques
| Command |
Description |
vault operator init |
Initialize Vault cluster |
vault operator unseal |
Unseal Vault |
vault operator seal |
Seal Vault |
vault operator step-down |
Step down as leader |
vault operator raft list-peers |
List Raft peers |
Sauvegarde et récupération
| Command |
Description |
vault operator raft snapshot save backup.snap |
Create snapshot |
vault operator raft snapshot restore backup.snap |
Restore snapshot |
Exemples de configuration
Configuration du serveur
```hcl
storage "consul" \\{
address = "127.0.0.1:8500"
path = "vault/"
\\}
listener "tcp" \\{
address = "0.0.0.0:8200"
tls_disable = 1
\\}
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
ui = true
```_
Auto-unseal avec AWS KMS
hcl
seal "awskms" \\\\{
region = "us-east-1"
kms_key_id = "12345678-1234-1234-1234-123456789012"
\\\\}_
Variables d'environnement
| Variable |
Description |
VAULT_ADDR |
Vault server address |
VAULT_TOKEN |
Authentication token |
VAULT_NAMESPACE |
Vault namespace (Enterprise) |
VAULT_CACERT |
CA certificate file |
VAULT_CLIENT_CERT |
Client certificate file |
VAULT_CLIENT_KEY |
Client private key file |
Meilleures pratiques
Sécurité
- Enable TLS: toujours utiliser TLS en production
- Least Privilege: accorder des autorisations minimales requises
- Token TTL: Utiliser des jetons à courte durée de vie
- Audit Logging: Activer l'enregistrement d'audit complet
- ** Seal/Unseal**: Mettre en œuvre les procédures appropriées de scellement/unseal
Opérations
- Haute disponibilité: Déployer en mode HA pour la production
- Stratégie de sauvegarde: Photographies et sauvegardes régulières
- Surveillance: Surveiller la santé et la performance des failles
- Rotation: rotation régulière des clés et des titres
- Modèles d'accès: Surveiller et analyser les modèles d'accès
Développement
- ** Mode Dev**: Utilisez le mode dev uniquement pour le développement
- Essais de politique: Les politiques d'essai
- Version du SECRET: Utiliser la version secrète pour les rollbacks
- Intégration: Intégration avec les pipelines CI/CD
- Documentation: Documenter les voies et les politiques secrètes