볼트
All 모든 명령 복사
< PDF 생성
종합 HashiCorp 비밀 관리, 암호화 및 민감한 데이터에 대한 보안 액세스를위한 Vault 명령 및 워크플로우.
설치 및 설치
Command
Description
vault versionShow Vault version
vault server -devStart development server
vault server -config=config.hclStart with configuration file
vault statusCheck server status
인증 및 로그인
기본 인증
Command
Description
vault auth -method=userpass username=myuserLogin with username/password
vault auth -method=ldap username=myuserLogin with LDAP
vault auth -method=github token=mytokenLogin with GitHub
vault auth -method=awsLogin with AWS IAM
vault auth -method=kubernetesLogin with Kubernetes
토큰 관리
Command
Description
vault token createCreate new token
vault token create -ttl=1hCreate token with TTL
vault token lookupLook up current token
vault token renewRenew current token
vault token revoke TOKENRevoke specific token
비밀 관리
열쇠 고리 비밀 (v2)
Command
Description
vault kv put secret/myapp username=admin password=secretStore secret
vault kv get secret/myappRetrieve secret
vault kv get -field=password secret/myappGet specific field
vault kv delete secret/myappDelete secret
vault kv list secret/List secrets
vault kv metadata get secret/myappGet metadata
비밀 버전
Command
Description
vault kv put secret/myapp @data.jsonStore from JSON file
vault kv get -version=2 secret/myappGet specific version
vault kv rollback -version=1 secret/myappRollback to version
vault kv destroy -versions=2,3 secret/myappDestroy versions
vault kv undelete -versions=2 secret/myappUndelete versions
데이터베이스 비밀 엔진
Database 구성
Command
Description
vault secrets enable databaseEnable database engine
vault write database/config/my-mysql-database plugin_name=mysql-database-plugin connection_url="\\{\\{username\\}\\}:\\{\\{password\\}\\}@tcp(localhost:3306)/" allowed_roles="my-role" username="vaultuser" password="vaultpass"Configure MySQL
vault write database/roles/my-role db_name=my-mysql-database creation_statements="CREATE USER '\\{\\{name\\}\\}'@'%' IDENTIFIED BY '\\{\\{password\\}\\}';GRANT SELECT ON *.* TO '\\{\\{name\\}\\}'@'%';" default_ttl="1h" max_ttl="24h"Create role
동적인 Credentials
Command
Description
vault read database/creds/my-roleGenerate database credentials
vault write database/rotate-root/my-mysql-databaseRotate root credentials
PKI (Public Key 인프라)
PKI 설정
Command
Description
vault secrets enable pkiEnable PKI engine
vault secrets tune -max-lease-ttl=87600h pkiSet max TTL
vault write pki/root/generate/internal common_name=example.com ttl=87600hGenerate root CA
vault write pki/config/urls issuing_certificates="http://vault.example.com:8200/v1/pki/ca" crl_distribution_points="http://vault.example.com:8200/v1/pki/crl"Configure URLs
인증서 관리
Command
Description
vault write pki/roles/example-dot-com allowed_domains=example.com allow_subdomains=true max_ttl=72hCreate role
vault write pki/issue/example-dot-com common_name=test.example.comIssue certificate
vault write pki/revoke serial_number=39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58Revoke certificate
AWS 비밀 엔진
AWS 구성
Command
Description
vault secrets enable awsEnable AWS engine
vault write aws/config/root access_key=AKIAI... secret_key=R4nm...Configure root credentials
vault write aws/roles/my-role credential_type=iam_user policy_document=-<<EOF \\{...\\} EOFCreate IAM role
AWS 자격
Command
Description
vault read aws/creds/my-roleGenerate AWS credentials
vault write aws/sts/my-role ttl=15mGenerate STS credentials
교통 비밀 엔진
암호화 설정
Command
Description
vault secrets enable transitEnable transit engine
vault write transit/keys/my-key type=aes256-gcm96Create encryption key
vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data")Encrypt data
vault write transit/decrypt/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==Decrypt data
핵심 관리
Command
Description
vault write transit/keys/my-key/rotateRotate encryption key
vault read transit/keys/my-keyRead key information
vault write transit/rewrap/my-key ciphertext=vault:v1:...Rewrap with latest key
회사연혁
정책 관리
Command
Description
vault policy write my-policy policy.hclCreate/update policy
vault policy read my-policyRead policy
vault policy listList all policies
vault policy delete my-policyDelete policy
예제 정책
카지노사이트
Auth 방법
Auth 방법 활성화
Command
Description
vault auth enable userpassEnable username/password
vault auth enable ldapEnable LDAP
vault auth enable githubEnable GitHub
vault auth enable awsEnable AWS IAM
vault auth enable kubernetesEnable Kubernetes
Auth 방법 구성
Command
Description
vault write auth/userpass/users/myuser password=mypass policies=my-policyCreate user
vault write auth/ldap/config url="ldap://ldap.example.com" userdn="ou=Users,dc=example,dc=com"Configure LDAP
vault write auth/github/config organization=myorgConfigure GitHub
감사 Logging
Enable 감사 장치
Command
Description
vault audit enable file file_path=/vault/logs/audit.logEnable file audit
vault audit enable syslogEnable syslog audit
vault audit listList audit devices
vault audit disable file/Disable audit device
높은 가용성 및 클러스터링
클러스터 작업
Command
Description
vault operator initInitialize Vault cluster
vault operator unsealUnseal Vault
vault operator sealSeal Vault
vault operator step-downStep down as leader
vault operator raft list-peersList Raft peers
백업 및 복구
Command
Description
vault operator raft snapshot save backup.snapCreate snapshot
vault operator raft snapshot restore backup.snapRestore snapshot
구성 예제
Server 구성
카지노사이트
AWS KMS로 자동 유출
카지노사이트
환경 변수
Variable
Description
VAULT_ADDRVault server address
VAULT_TOKENAuthentication token
VAULT_NAMESPACEVault namespace (Enterprise)
VAULT_CACERTCA certificate file
VAULT_CLIENT_CERTClient certificate file
VAULT_CLIENT_KEYClient private key file
최고의 연습
계정 관리
Enable TLS : 항상 생산에 TLS 사용Least Privilege : 최소 권한 부여토큰 TTL : 단기 토큰 사용명세 Audit Logging : 포괄적인 감사 로깅
명세 Seal/Unseal : 적절한 seal/unseal 절차 구현
영업 시간
**높은 가용성 **: HA 모드에 배포
** 백업 전략 **: 일반 스냅 샷 및 백업
Monitoring : Vault 건강 및 성능 모니터링명세 Rotation : 일정한 열쇠 및 credential 교체
명세 Access Patterns : 모니터 및 액세스 패턴 분석
회사연혁
Dev Mode : 개발만 사용** 정책 테스트**: 시험 정책 철저히
** 서버 버전**: rollbacks에 대한 비밀 버전 사용
명세 ** 통합 **: CI/CD 파이프라인과 통합
명세 Documentation : 문서 비밀 경로 및 정책