cli-tool
intermediate
utility
Défaut
Copier toutes les commandes
Générer PDF
HashiCorp complet Commandes et workflows Vault pour la gestion des secrets, le chiffrement et l'accès sécurisé aux données sensibles.
Installation et configuration
Command
Description
vault versionShow Vault version
vault server -devStart development server
vault server -config=config.hclStart with configuration file
vault statusCheck server status
Authentification & Connexion
Authentification de base
Command
Description
vault auth -method=userpass username=myuserLogin with username/password
vault auth -method=ldap username=myuserLogin with LDAP
vault auth -method=github token=mytokenLogin with GitHub
vault auth -method=awsLogin with AWS IAM
vault auth -method=kubernetesLogin with Kubernetes
Gestion des jetons
Command
Description
vault token createCreate new token
vault token create -ttl=1hCreate token with TTL
vault token lookupLook up current token
vault token renewRenew current token
vault token revoke TOKENRevoke specific token
Gestion des secrets
Secrets de valeur clé (v2)
Command
Description
vault kv put secret/myapp username=admin password=secretStore secret
vault kv get secret/myappRetrieve secret
vault kv get -field=password secret/myappGet specific field
vault kv delete secret/myappDelete secret
vault kv list secret/List secrets
vault kv metadata get secret/myappGet metadata
Versions secrètes
Command
Description
vault kv put secret/myapp @data.jsonStore from JSON file
vault kv get -version=2 secret/myappGet specific version
vault kv rollback -version=1 secret/myappRollback to version
vault kv destroy -versions=2,3 secret/myappDestroy versions
vault kv undelete -versions=2 secret/myappUndelete versions
Moteur des secrets de base de données
Configuration de la base de données
Command
Description
vault secrets enable databaseEnable database engine
vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="\\{\\{username\\}\\}:\\{\\{password\\}\\}@tcp(localhost:3306)/" allowed_roles="my-role" username="vaultuser" password="vaultpass"Configure MySQL
vault write database/roles/my-role db_name=my-mysql-database creation_statements="CREATE USER '\\{\\{name\\}\\}'@'%' IDENTIFIED BY '\\{\\{password\\}\\}';GRANT SELECT ON *.* TO '\\{\\{name\\}\\}'@'%';" default_ttl="1h" max_ttl="24h"Create role
Pouvoirs dynamiques
Command
Description
vault read database/creds/my-roleGenerate database credentials
vault write database/rotate-root/my-mysql-databaseRotate root credentials
ICP (Infrastructure à clé publique)
Configuration de l'ICP
Command
Description
vault secrets enable pkiEnable PKI engine
vault secrets tune -max-lease-ttl=87600h pkiSet max TTL
vault write pki/root/generate/internal common_name=example.com ttl=87600hGenerate root CA
vault write pki/config/urls issuing_certificates="http://vault.example.com:8200/v1/pki/ca" crl_distribution_points="http://vault.example.com:8200/v1/pki/crl"Configure URLs
Gestion des certificats
Command
Description
vault write pki/roles/example-dot-com allowed_domains=example.com allow_subdomains=true max_ttl=72hCreate role
vault write pki/issue/example-dot-com common_name=test.example.comIssue certificate
vault write pki/revoke serial_number=39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58Revoke certificate
Moteur AWS Secrets
Configuration AWS
Command
Description
vault secrets enable awsEnable AWS engine
vault write aws/config/root access_key=AKIAI... secret_key=R4nm...Configure root credentials
vault write aws/roles/my-role credential_type=iam_user policy_document=-<<EOF \\{...\\} EOFCreate IAM role
Pouvoirs
Command
Description
vault read aws/creds/my-roleGenerate AWS credentials
vault write aws/sts/my-role ttl=15mGenerate STS credentials
Moteur des secrets de transit
Configuration du chiffrement
Command
Description
vault secrets enable transitEnable transit engine
vault write transit/keys/my-key type=aes256-gcm96Create encryption key
vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data")Encrypt data
vault write transit/decrypt/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==Decrypt data
Gestion des clés
Command
Description
vault write transit/keys/my-key/rotateRotate encryption key
vault read transit/keys/my-keyRead key information
vault write transit/rewrap/my-key ciphertext=vault:v1:...Rewrap with latest key
Politiques
Gestion des politiques
Command
Description
vault policy write my-policy policy.hclCreate/update policy
vault policy read my-policyRead policy
vault policy listList all policies
vault policy delete my-policyDelete policy
Exemple de politique
# Read operation on the k/v secrets
path "secret/data/*" \\\\{
capabilities = ["read"]
\\\\}
# Write operation on the k/v secrets
path "secret/data/myapp/*" \\\\{
capabilities = ["create", "update"]
\\\\}
# Deny all access to secret/admin
path "secret/data/admin" \\\\{
capabilities = ["deny"]
\\\\}
Méthodes
Activer les méthodes d'auth
Command
Description
vault auth enable userpassEnable username/password
vault auth enable ldapEnable LDAP
vault auth enable githubEnable GitHub
vault auth enable awsEnable AWS IAM
vault auth enable kubernetesEnable Kubernetes
Command
Description
vault write auth/userpass/users/myuser password=mypass policies=my-policyCreate user
vault write auth/ldap/config url="ldap://ldap.example.com" userdn="ou=Users,dc=example,dc=com"Configure LDAP
vault write auth/github/config organization=myorgConfigure GitHub
Comptabilisation des audits
Activer les appareils de vérification
Command
Description
vault audit enable file file_path=/vault/logs/audit.logEnable file audit
vault audit enable syslogEnable syslog audit
vault audit listList audit devices
vault audit disable file/Disable audit device
Haute disponibilité et regroupement
Opérations des groupes thématiques
Command
Description
vault operator initInitialize Vault cluster
vault operator unsealUnseal Vault
vault operator sealSeal Vault
vault operator step-downStep down as leader
vault operator raft list-peersList Raft peers
Sauvegarde et récupération
Command
Description
vault operator raft snapshot save backup.snapCreate snapshot
vault operator raft snapshot restore backup.snapRestore snapshot
Exemples de configuration
Configuration du serveur
```hcl
storage "consul" \\{
address = "127.0.0.1:8500"
path = "vault/"
\\}
listener "tcp" \\{
address = "0.0.0.0:8200"
tls_disable = 1
\\}
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
ui = true
```_
Auto-unseal avec AWS KMS
hcl
seal "awskms" \\\\{
region = "us-east-1"
kms_key_id = "12345678-1234-1234-1234-123456789012"
\\\\}_
Variables d'environnement
Variable
Description
VAULT_ADDRVault server address
VAULT_TOKENAuthentication token
VAULT_NAMESPACEVault namespace (Enterprise)
VAULT_CACERTCA certificate file
VAULT_CLIENT_CERTClient certificate file
VAULT_CLIENT_KEYClient private key file
Meilleures pratiques
Sécurité
Enable TLS : toujours utiliser TLS en productionLeast Privilege : accorder des autorisations minimales requisesToken TTL : Utiliser des jetons à courte durée de vieAudit Logging : Activer l'enregistrement d'audit complet** Seal/Unseal**: Mettre en œuvre les procédures appropriées de scellement/unseal
Opérations
Haute disponibilité : Déployer en mode HA pour la productionStratégie de sauvegarde : Photographies et sauvegardes régulièresSurveillance : Surveiller la santé et la performance des faillesRotation : rotation régulière des clés et des titresModèles d'accès : Surveiller et analyser les modèles d'accès
Développement
** Mode Dev**: Utilisez le mode dev uniquement pour le développement
Essais de politique : Les politiques d'essaiVersion du SECRET : Utiliser la version secrète pour les rollbacksIntégration : Intégration avec les pipelines CI/CDDocumentation : Documenter les voies et les politiques secrètes