我正在使用 docker-compose 來擁有 2 個服務:vault-agent 和 vault server 都使用hashicorp/vault:latestdocker 鏡像在本地機器上進行開發。我在開發模式下運行 Vault 服務器:vault server -dev. 我這樣運行 vaul-agent ,vault agent -log-level debug -config=/helpers/vault-agent.hcl而vault-agent.hcl它是:
pid_file = "./pidfile"
vault {
address = "https://vault_dev:8200"
retry {
num_retries = 5
}
}
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "/helpers/role_id"
secret_id_file_path = "/helpers/secret_id"
remove_secret_id_file_after_reading = false
}
}
sink "file" {
config = {
path = "/helpers/sink_file"
}
}
}
cache {
use_auto_auth_token = true
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = true
}
我在 vault-agent 和 vaul 服務器之間使用 approle 身份驗證,所以我運行了這些命令:
vault secrets enable -version=2 kv
vault auth enable approle
vault policy write admin-policy /helpers/admin-policy.hcl
vault write auth/approle/role/dev-role token_policies="admin-policy"
而是admin-policy.hcl:
# Read system health check
path "sys/health"
{
capabilities = ["read", "sudo"]
}
# Create and manage ACL policies broadly across Vault
# List existing policies
path "sys/policies/acl"
{
capabilities = ["list"]
}
# Create and manage ACL policies
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Enable and manage authentication methods broadly across Vault
# Manage auth methods broadly across Vault
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create, update, and delete auth methods
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
# List auth methods
path "sys/auth"
{
capabilities = ["read"]
}
# Enable and manage the key/value secrets engine at `kv/` path
# List, create, update, and delete key/value secrets
path "kv/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage Entities and Entity alias
path "identity/entity-alias"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity-alias/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "identity/entity/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage secrets engines
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secrets engines.
path "sys/mounts"
{
capabilities = ["read"]
}
但是,當我vault kv put secret/hello foo=bar從 Vault-agent 容器內部運行時,我收到此錯誤:
Error making API request.
URL: GET http://vault_dev:8200/v1/sys/internal/ui/mounts/secret/hello
Code: 403. Errors:
* permission denied
如果我運行export VAULT_TOKEN=root然后vault kv put secret/hello foo=bar它作業。所以我猜 vault-agent 和 vault 服務器之間的通信是有效的,我也沒有看到 vault-agent 容器中記錄了任何錯誤(只有 INFO 訊息),但我仍然需要一個令牌來對 vault-agent 執行操作,即使整個Vault-agent 的要點是將身份驗證委托給代理。我錯過了什么?
uj5u.com熱心網友回復:
此時您已啟用 AppRole 身份驗證,并為身份驗證創建了 AppRole 路徑,其中角色系結到策略。您現在需要:
vault read auth/approle/role/dev-role/role-id
檢索role_id
vault write -f auth/approle/role/dev-role/secret-id
檢索secret_id推入模式,然后
vault write auth/approle/login role_id=<role id> secret_id=<secret id>
檢索令牌以進行身份??驗證。然后,您可以將該標記用于vault login,或將其設定VAULT_TOKEN為環境變數。
轉載請註明出處,本文鏈接:https://www.uj5u.com/gongcheng/460632.html
上一篇:使用格式寫入陣列
