├── README.md ├── m4 ├── ford.json ├── webpol.hcl ├── azure-role.json ├── auth_data.json ├── ldap-config.json ├── devpol.hcl ├── devpol.json ├── m4-tokenwrapping.sh ├── m4-azuresecrets.sh ├── m4-basicauth.sh └── m4-activedirectory.sh ├── m5 ├── consul │ ├── server.hcl │ ├── consul.hcl │ ├── consul-agent.hcl │ ├── consul.service │ ├── consul-deploy-agent.sh │ └── consul-deploy.sh ├── vault │ ├── vault.hcl │ ├── vault.service │ └── vault-deploy.sh └── m5-serveroperations.sh ├── m3 ├── dev-b-moved.json ├── dev-b-moved-v2.json ├── dev-b.json ├── m3-mysqlengine.sh ├── m3-secretengine.sh └── m3-secretslifecycle.sh ├── m2 ├── marvin.json └── m2-secrets.sh ├── m0 ├── ha-deployment │ └── consul │ │ ├── consul.tfplan │ │ ├── consul.tpl │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── main.tf ├── consul │ ├── config │ │ └── consul-config.json │ └── Dockerfile ├── vault │ ├── config │ │ └── vault-config.json │ └── Dockerfile ├── setup.ps1 └── docker-compose.yml ├── m6 ├── auditconfig.json └── m6-auditconfig.sh ├── .gitignore └── LICENSE /README.md: -------------------------------------------------------------------------------- 1 | # Getting-Started-Vault 2 | -------------------------------------------------------------------------------- /m4/ford.json: -------------------------------------------------------------------------------- 1 | { 2 | "password": "prefect" 3 | } -------------------------------------------------------------------------------- /m5/consul/server.hcl: -------------------------------------------------------------------------------- 1 | server = true 2 | bootstrap_expect = 1 3 | ui = true -------------------------------------------------------------------------------- /m4/webpol.hcl: -------------------------------------------------------------------------------- 1 | path "webkv/*" { 2 | capabilities = ["read", "list"] 3 | } 4 | -------------------------------------------------------------------------------- /m3/dev-b-moved.json: -------------------------------------------------------------------------------- 1 | { 2 | "from": "dev-b", 3 | "to": "dev-b-moved" 4 | } -------------------------------------------------------------------------------- /m3/dev-b-moved-v2.json: -------------------------------------------------------------------------------- 1 | { 2 | "options":{ 3 | "version": "2" 4 | } 5 | } -------------------------------------------------------------------------------- /m3/dev-b.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "kv", 3 | "options": { 4 | "version": "1" 5 | } 6 | } -------------------------------------------------------------------------------- /m2/marvin.json: -------------------------------------------------------------------------------- 1 | { 2 | "data": { 3 | "paranoid": true, 4 | "status": "bored" 5 | } 6 | } -------------------------------------------------------------------------------- /m0/ha-deployment/consul/consul.tfplan: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ned1313/Getting-Started-Vault/HEAD/m0/ha-deployment/consul/consul.tfplan -------------------------------------------------------------------------------- /m6/auditconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "file", 3 | "options": { 4 | "file_path": "var/log/vault/vault_audit1.log", 5 | "log_raw": true 6 | } 7 | } -------------------------------------------------------------------------------- /m5/consul/consul.hcl: -------------------------------------------------------------------------------- 1 | datacenter = "dc0" 2 | data_dir = "/opt/consul" 3 | encrypt = "sJ4givaF082CMF4rjWKdVQ==" 4 | advertise_addr = "10.0.0.9" 5 | retry_join = ["10.0.0.9"] -------------------------------------------------------------------------------- /m4/azure-role.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "role_name": "Contributor", 4 | "scope": "/subscriptions/4d8e572a-3214-40e9-a26f-8f71ecd24e0d/resourceGroups/vault_test_group" 5 | } 6 | ] 7 | -------------------------------------------------------------------------------- /m5/consul/consul-agent.hcl: -------------------------------------------------------------------------------- 1 | datacenter = "dc0" 2 | data_dir = "/opt/consul" 3 | encrypt = "sJ4givaF082CMF4rjWKdVQ==" 4 | bind_addr = "10.0.1.6" 5 | client_addr = "127.0.0.1" 6 | retry_join = ["10.0.0.9"] -------------------------------------------------------------------------------- /m4/auth_data.json: -------------------------------------------------------------------------------- 1 | { 2 | "role": "ROLE_NAME_STRING", 3 | "jwt": "JWT_STRING", 4 | "subscription_id": "SUBSCRIPTION_ID_STRING", 5 | "resource_group_name": "RESOURCE_GROUP_NAME_STRING", 6 | "vm_name": "VM_NAME_STRING" 7 | } -------------------------------------------------------------------------------- /m0/consul/config/consul-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "datacenter": "localhost", 3 | "data_dir": "/consul/data", 4 | "log_level": "DEBUG", 5 | "server": true, 6 | "ui": true, 7 | "ports": { 8 | "dns": 53 9 | } 10 | } -------------------------------------------------------------------------------- /m0/ha-deployment/consul/consul.tpl: -------------------------------------------------------------------------------- 1 | datacenter = "dc1" 2 | data_dir = "/opt/consul" 3 | encrypt = "${encrypt_key}" 4 | advertise_addr = "${node_ip_address}" 5 | retry_join = ["${node_1_ip_address}", "${node_2_ip_address}", "${node_3_ip_address}"] -------------------------------------------------------------------------------- /m0/vault/config/vault-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "backend": { 3 | "file": { 4 | "path": "vault/data" 5 | } 6 | }, 7 | "listener": { 8 | "tcp":{ 9 | "address": "0.0.0.0:8200", 10 | "tls_disable": 1 11 | } 12 | }, 13 | "ui": true 14 | } -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # .tfvars files 9 | *.tfvars 10 | 11 | # vault files 12 | **/vault/data/* 13 | **/vault/logs/* 14 | **/vault/policies/* 15 | *.seal 16 | 17 | # cert files 18 | *.pem 19 | -------------------------------------------------------------------------------- /m0/ha-deployment/consul/outputs.tf: -------------------------------------------------------------------------------- 1 | ################################################################################### 2 | # OUTPUTS 3 | ################################################################################### 4 | 5 | output "consul_template" { 6 | value = "${data.template_file.consul_config.*.rendered}" 7 | } 8 | -------------------------------------------------------------------------------- /m0/setup.ps1: -------------------------------------------------------------------------------- 1 | #For Windows, install Chocolately for package management 2 | #This has to be run from an admin console 3 | Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) 4 | 5 | #Now install vault and jq using Chocolatey 6 | choco install vault jq -y -------------------------------------------------------------------------------- /m5/vault/vault.hcl: -------------------------------------------------------------------------------- 1 | listener "tcp" { 2 | address = "0.0.0.0:8200" 3 | cluster_address = "0.0.0.0:8201" 4 | tls_cert_file = "/etc/vault/certs/vault_cert.crt" 5 | tls_key_file = "/etc/vault/certs/vault_cert.key" 6 | } 7 | 8 | storage "consul" { 9 | address = "127.0.0.1:8500" 10 | path = "vault/" 11 | } 12 | 13 | api_addr = "https://10.0.1.6:8200" 14 | cluster_addr = "https://10.0.1.6:8201" 15 | disable_mlock = true 16 | -------------------------------------------------------------------------------- /m0/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.6' 2 | 3 | services: 4 | 5 | vault: 6 | build: 7 | context: ./vault 8 | dockerfile: Dockerfile 9 | ports: 10 | - 8200:8200 11 | volumes: 12 | - ./vault/config:/vault/config 13 | - ./vault/policies:/vault/policies 14 | - ./vault/data:/vault/data 15 | - ./vault/logs:/vault/logs 16 | environment: 17 | - VAULT_ADDR=http://127.0.0.1:8200 18 | command: server -config=/vault/config/vault-config.json 19 | cap_add: 20 | - IPC_LOCK -------------------------------------------------------------------------------- /m5/consul/consul.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description="HashiCorp Consul - A service mesh solution" 3 | Documentation=https://www.consul.io/ 4 | Requires=network-online.target 5 | After=network-online.target 6 | ConditionFileNotEmpty=/etc/consul.d/consul.hcl 7 | 8 | [Service] 9 | User=consul 10 | Group=consul 11 | ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d/ 12 | ExecReload=/usr/local/bin/consul reload 13 | KillMode=process 14 | Restart=on-failure 15 | LimitNOFILE=65536 16 | 17 | [Install] 18 | WantedBy=multi-user.target -------------------------------------------------------------------------------- /m4/ldap-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "ldaps://adDC-0.globomantics.xyz:636", 3 | "userattr":"sAMAccountName", 4 | "userdn":"ou=Globo Users,dc=globomantics,dc=xyz", 5 | "groupdn":"ou=Globo Groups,dc=globomantics,dc=xyz", 6 | "groupfilter":"(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))", 7 | "binddn":"cn=vault-ldap,cn=Users,dc=globomantics,dc=xyz", 8 | "bindpass":"VerySecurePassword@123", 9 | "groupattr":"memberOf", 10 | "certificate":"PASTE_PEM_VALUE_HERE", 11 | "insecure_tls":false, 12 | "starttls":true 13 | } -------------------------------------------------------------------------------- /m4/devpol.hcl: -------------------------------------------------------------------------------- 1 | path "devkv/*" { 2 | capabilities = ["create", "read", "update", "delete", "list"] 3 | } 4 | 5 | path "devkv/appId*" { 6 | capabilities = ["create", "read", "update", "delete", "list"] 7 | 8 | allowed_parameters = { 9 | "api-key" = [] 10 | "environment" = ["dev", "qa","staging","production"] 11 | "description" = [] 12 | } 13 | } 14 | 15 | path "secret/data/{{identity.entity.id}}/*" { 16 | capabilities = ["create", "update", "read", "delete"] 17 | } 18 | 19 | path "secret/metadata/{{identity.entity.id}}/*" { 20 | capabilities = ["list"] 21 | } -------------------------------------------------------------------------------- /m4/devpol.json: -------------------------------------------------------------------------------- 1 | { 2 | "policy": "path \"devkv/*\" {\r\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\r\n}\r\n\r\npath \"devkv/appId*\" {\r\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\r\n\r\n allowed_parameters = {\r\n \"api-key\" = []\r\n \"environment\" = [\"dev\", \"qa\",\"staging\",\"production\"]\r\n \"description\" = []\r\n }\r\n}\r\n\r\npath \"secret/data/{{identity.entity.id}}/*\" {\r\n capabilities = [\"create\", \"update\", \"read\", \"delete\"]\r\n}\r\n\r\npath \"secret/metadata/{{identity.entity.id}}/*\" {\r\n capabilities = [\"list\"]\r\n}" 3 | } -------------------------------------------------------------------------------- /m0/ha-deployment/consul/variables.tf: -------------------------------------------------------------------------------- 1 | ################# VARIABLES ########################## 2 | 3 | #Azure info 4 | variable "az_location" { 5 | default = "eastus" 6 | } 7 | variable "az_resource_group_name" { 8 | default = "vault-demo" 9 | } 10 | 11 | #Azure Credentials 12 | variable "az_subscription" {} 13 | variable "az_client_id" {} 14 | variable "az_tenant_id" {} 15 | variable "az_client_secret" {} 16 | 17 | #VNet settings 18 | variable "vnet_cidr" { 19 | default = "10.0.1.0/22" 20 | } 21 | 22 | #Consul info 23 | variable "consul_version" { 24 | default = "1.4.0" 25 | } 26 | 27 | variable "consul_key" { 28 | default = "BgVgz1dyqCP1d9fyDGwnPw==" 29 | } 30 | 31 | -------------------------------------------------------------------------------- /m0/vault/Dockerfile: -------------------------------------------------------------------------------- 1 | # base image 2 | FROM alpine:3.7 3 | 4 | # set vault version 5 | ENV VAULT_VERSION 1.0.0 6 | 7 | # create a new directory 8 | RUN mkdir /vault 9 | 10 | # download dependencies 11 | RUN apk --no-cache add \ 12 | bash \ 13 | ca-certificates \ 14 | wget 15 | 16 | # download and set up vault 17 | RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \ 18 | unzip /tmp/vault.zip -d /vault && \ 19 | rm -f /tmp/vault.zip && \ 20 | chmod +x /vault 21 | 22 | # update PATH 23 | ENV PATH="PATH=$PATH:$PWD/vault" 24 | 25 | # add the config file 26 | COPY ./config/vault-config.json /vault/config/vault-config.json 27 | 28 | # expose port 8200 29 | EXPOSE 8200 30 | 31 | # run vault 32 | ENTRYPOINT ["vault"] -------------------------------------------------------------------------------- /m5/vault/vault.service: -------------------------------------------------------------------------------- 1 | ### BEGIN INIT INFO 2 | # Provides: vault 3 | # Required-Start: $local_fs $remote_fs 4 | # Required-Stop: $local_fs $remote_fs 5 | # Default-Start: 2 3 4 5 6 | # Default-Stop: 0 1 6 7 | # Short-Description: Vault server 8 | # Description: Vault secret management tool 9 | ### END INIT INFO 10 | 11 | [Unit] 12 | Description=Vault secret management tool 13 | Requires=network-online.target 14 | After=network-online.target 15 | 16 | [Service] 17 | User=vault 18 | Group=vault 19 | PIDFile=/var/run/vault/vault.pid 20 | ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault_server.hcl -log-level=debug 21 | ExecReload=/bin/kill -HUP $MAINPID 22 | KillMode=process 23 | KillSignal=SIGTERM 24 | Restart=on-failure 25 | RestartSec=42s 26 | LimitMEMLOCK=infinity 27 | 28 | [Install] 29 | WantedBy=multi-user.target -------------------------------------------------------------------------------- /m0/consul/Dockerfile: -------------------------------------------------------------------------------- 1 | # base image 2 | FROM alpine:3.7 3 | 4 | # set consul version 5 | ENV CONSUL_VERSION 1.4.0 6 | 7 | # create a new directory 8 | RUN mkdir /consul 9 | 10 | # download dependencies 11 | RUN apk --no-cache add \ 12 | bash \ 13 | ca-certificates \ 14 | wget 15 | 16 | # download and set up consul 17 | RUN wget --quiet --output-document=/tmp/consul.zip https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_linux_amd64.zip && \ 18 | unzip /tmp/consul.zip -d /consul && \ 19 | rm -f /tmp/consul.zip && \ 20 | chmod +x /consul/consul 21 | 22 | # update PATH 23 | ENV PATH="PATH=$PATH:$PWD/consul" 24 | 25 | # add the config file 26 | COPY ./config/consul-config.json /consul/config/config.json 27 | 28 | # expose ports 29 | EXPOSE 8300 8400 8500 8600 30 | 31 | # run consul 32 | ENTRYPOINT ["consul"] -------------------------------------------------------------------------------- /m5/consul/consul-deploy-agent.sh: -------------------------------------------------------------------------------- 1 | #Consul Build commands 2 | 3 | #Install Consul 4 | sudo apt update -y 5 | sudo apt install unzip -y 6 | CONSUL_VERSION="1.4.1" 7 | wget https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_linux_amd64.zip 8 | unzip consul_${CONSUL_VERSION}_linux_amd64.zip 9 | sudo chown root:root consul 10 | sudo mv consul /usr/local/bin/ 11 | 12 | #Prepare for systemd 13 | sudo useradd --system --home /etc/consul.d --shell /bin/false consul 14 | sudo mkdir --parents /opt/consul 15 | sudo chown --recursive consul:consul /opt/consul 16 | 17 | sudo touch /etc/systemd/system/consul.service 18 | 19 | #Create general config 20 | ip addr 21 | sudo mkdir --parents /etc/consul.d 22 | sudo touch /etc/consul.d/consul.hcl 23 | sudo chown --recursive consul:consul /etc/consul.d 24 | sudo chmod 640 /etc/consul.d/consul.hcl 25 | 26 | #Start service 27 | sudo systemctl enable consul 28 | sudo systemctl start consul 29 | 30 | #Check consul status 31 | consul members 32 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Ned Bellavance 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /m5/consul/consul-deploy.sh: -------------------------------------------------------------------------------- 1 | #Consul Build commands 2 | 3 | #Install Consul 4 | sudo apt update -y 5 | sudo apt install unzip -y 6 | CONSUL_VERSION="1.4.1" 7 | wget https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_linux_amd64.zip 8 | unzip consul_${CONSUL_VERSION}_linux_amd64.zip 9 | sudo chown root:root consul 10 | sudo mv consul /usr/local/bin/ 11 | 12 | #Prepare for systemd 13 | sudo useradd --system --home /etc/consul.d --shell /bin/false consul 14 | sudo mkdir --parents /opt/consul 15 | sudo chown --recursive consul:consul /opt/consul 16 | 17 | sudo touch /etc/systemd/system/consul.service 18 | 19 | #Create general config 20 | consul keygen 21 | ip addr 22 | sudo mkdir --parents /etc/consul.d 23 | sudo touch /etc/consul.d/consul.hcl 24 | sudo chown --recursive consul:consul /etc/consul.d 25 | sudo chmod 640 /etc/consul.d/consul.hcl 26 | 27 | #Create server config 28 | sudo touch /etc/consul.d/server.hcl 29 | sudo chown --recursive consul:consul /etc/consul.d 30 | sudo chmod 640 /etc/consul.d/server.hcl 31 | 32 | #Start service 33 | sudo systemctl enable consul 34 | sudo systemctl start consul 35 | 36 | #Check status 37 | consul members 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /m0/ha-deployment/consul/main.tf: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # PROVIDERS 3 | ################################################################################## 4 | 5 | provider "azurerm" { 6 | subscription_id = "${var.az_subscription}" 7 | client_id = "${var.az_client_id}" 8 | client_secret = "${var.az_client_secret}" 9 | tenant_id = "${var.az_tenant_id}" 10 | } 11 | 12 | ################################################################################### 13 | # DATA 14 | ################################################################################### 15 | 16 | locals { 17 | node_ip_addresses = { 18 | node_1 = "${cidrhost(cidrsubnet(var.vnet_cidr, 2, 1), 11)}" 19 | node_2 = "${cidrhost(cidrsubnet(var.vnet_cidr, 2, 1), 12)}" 20 | node_3 = "${cidrhost(cidrsubnet(var.vnet_cidr, 2, 1), 13)}" 21 | } 22 | } 23 | 24 | 25 | #Use template file for consul server config 26 | data "template_file" "consul_config" { 27 | 28 | count = 3 29 | 30 | template = "${file("./consul.tpl")}" 31 | 32 | vars { 33 | node_ip_address = "${cidrhost(cidrsubnet(var.vnet_cidr, 2, 1), (10 + count.index))}" 34 | node_1_ip_address = "${lookup(local.node_ip_addresses,"node_1")}" 35 | node_2_ip_address = "${lookup(local.node_ip_addresses,"node_2")}" 36 | node_3_ip_address = "${lookup(local.node_ip_addresses,"node_3")}" 37 | encrypt_key = "${var.consul_key}" 38 | } 39 | } 40 | 41 | 42 | ################################################################################### 43 | # RESOURCES 44 | ################################################################################### 45 | 46 | #Create VNet 47 | module "vnet" { 48 | source = "source" 49 | 50 | } 51 | 52 | #Create VM Instances 53 | -------------------------------------------------------------------------------- /m4/m4-tokenwrapping.sh: -------------------------------------------------------------------------------- 1 | #Export the Vault server running in AD environment 2 | export VAULT_ADDR=http://127.0.0.1:8200 3 | export VAULT_TOKEN=AddYourVaultTokenHere 4 | 5 | #For Windows 6 | $env:VAULT_ADDR = "http://127.0.0.1:8200" 7 | $env:VAULT_TOKEN = "AddYourVaultTokenHere" 8 | $headers = @{ 9 | "X-Vault-Token" = $env:VAULT_TOKEN 10 | } 11 | 12 | #Log into Vault server as root 13 | vault login 14 | 15 | #Store a new application secret 16 | vault kv put secret/app-server api-key=123456 17 | 18 | #Create a wrapping token for 5 minutes 19 | vault kv get -wrap-ttl=300 secret/app-server 20 | 21 | #Retrieve the secret 22 | curl --header "X-Vault-Token: WRAPPING_TOKEN" --request POST \ 23 | $VAULT_ADDR/v1/sys/wrapping/unwrap | jq 24 | 25 | $wrapper_header = @{ 26 | "X-Vault-Token" = "WRAPPING_TOKEN" 27 | } 28 | 29 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/sys/wrapping/unwrap ` 30 | -UseBasicParsing -Headers $wrapper_header 31 | 32 | #Add the webkv store if you haven't already 33 | vault secrets enable -path=webkv kv 34 | 35 | #Add a secret to webkv 36 | vault kv put webkv/app-server api-key=123456 37 | 38 | #Add a web policy if you haven't already 39 | vault policy write web webpol.hcl 40 | 41 | #Create a token for an account using the web policy and wrap it 42 | vault token create -policy=web -wrap-ttl=300 43 | 44 | #Retrieve the app token 45 | curl --header "X-Vault-Token: WRAPPING_TOKEN" --request POST \ 46 | $VAULT_ADDR/v1/sys/wrapping/unwrap | jq 47 | 48 | $wrapper_header = @{ 49 | "X-Vault-Token" = "WRAPPING_TOKEN" 50 | } 51 | 52 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/sys/wrapping/unwrap ` 53 | -UseBasicParsing -Headers $wrapper_header 54 | 55 | #Retrieve a secret from webkv using new token 56 | #For Linux 57 | curl --header "X-Vault-Token: APP_TOKEN" $VAULT_ADDR/v1/webkv/app-server | jq 58 | 59 | #For Windows 60 | $app_header = @{ 61 | "X-Vault-Token" = "APP_TOKEN" 62 | } 63 | 64 | Invoke-WebRequest -Method Get -Uri $env:VAULT_ADDR/v1/webkv/app-server ` 65 | -UseBasicParsing -Headers $app_header 66 | -------------------------------------------------------------------------------- /m5/vault/vault-deploy.sh: -------------------------------------------------------------------------------- 1 | #Install Vault 2 | VAULT_VERSION="1.0.1" 3 | wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip 4 | unzip vault_${VAULT_VERSION}_linux_amd64.zip 5 | sudo chown root:root vault 6 | sudo mv vault /usr/local/bin/ 7 | 8 | #Prepare for systemd 9 | sudo useradd --system --home /etc/vault.d --shell /bin/false vault 10 | sudo mkdir --parents /opt/vault 11 | sudo chown --recursive vault:vault /opt/vault 12 | 13 | sudo touch /etc/systemd/system/vault.service 14 | 15 | #Create general config 16 | sudo mkdir --parents /etc/vault 17 | sudo touch /etc/vault/vault_server.hcl 18 | sudo chown --recursive vault:vault /etc/vault 19 | sudo chmod 640 /etc/vault/vault_server.hcl 20 | 21 | #Create certs (main server only - self-signed only) 22 | sudo mkdir /etc/vault/certs 23 | sudo openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out /etc/vault/certs/vault_cert.crt -keyout /etc/vault/certs/vault_cert.key 24 | sudo chown --recursive vault:vault /etc/vault/certs 25 | sudo chmod 750 --recursive /etc/vault/certs/ 26 | 27 | #Start service 28 | sudo systemctl enable vault 29 | sudo systemctl start vault 30 | 31 | #Adding certificates 32 | sudo mkdir /etc/vault/certs 33 | sudo add-apt-repository ppa:certbot/certbot -y 34 | sudo apt-get update 35 | sudo apt-get install certbot -y 36 | sudo certbot certonly --standalone --email ned@nedinthecloud.com -d vault-1.globomantics.xyz --agree-tos 37 | sudo cp /etc/letsencrypt/live/vault-1.globomantics.xyz/fullchain.pem /etc/vault/certs/vault_cert.crt 38 | sudo cp /etc/letsencrypt/live/vault-1.globomantics.xyz/privkey.pem /etc/vault/certs/vault_cert.key 39 | sudo chown --recursive vault:vault /etc/vault/certs 40 | sudo chmod 750 --recursive /etc/vault/certs/ 41 | 42 | #Add entry to hosts 43 | sudo vi /etc/hosts 44 | 45 | #Set environment variable for vault server 46 | export VAULT_ADDR=https://vault-1.globomantics.xyz:8200 47 | 48 | #Install auditd and the Log Analytics agent 49 | sudo mkdir /var/log/vault 50 | sudo chown vault:vault /var/log/vault 51 | vault audit enable file file_path=/var/log/vault/vault_audit.log 52 | -------------------------------------------------------------------------------- /m6/m6-auditconfig.sh: -------------------------------------------------------------------------------- 1 | #Set env variable 2 | #For Linux/MacOS 3 | export VAULT_ADDR=https://vault-1.globomantics.xyz:8200 4 | export VAULT_TOKEN=AddYourVaultTokenHere 5 | 6 | #For Windows 7 | $env:VAULT_ADDR = "https://vault-1.globomantics.xyz:8200" 8 | $env:VAULT_TOKEN = "AddYourVaultTokenHere" 9 | $headers = @{ 10 | "X-Vault-Token" = $env:VAULT_TOKEN 11 | } 12 | 13 | #Configuring local file auditing 14 | 15 | #Create the directory that vault will write to 16 | sudo mkdir /var/log/vault 17 | sudo chown vault:vault /var/log/vault 18 | 19 | vault audit enable file file_path=/var/log/vault/vault_audit.log log_raw=true 20 | 21 | #Linux 22 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request PUT \ 23 | --data @auditconfig.json $VAULT_ADDR/v1/sys/audit/file1 24 | 25 | #For Windows 26 | Invoke-WebRequest -Method Put -Uri $env:VAULT_ADDR/v1/sys/audit/file1 ` 27 | -UseBasicParsing -Headers $headers -Body (get-content auditconfig.json) 28 | 29 | #Add another path 30 | vault audit enable -path=file2 file file_path=/var/log/vault/vault_audit2.log 31 | 32 | #In Azure, install the OMS Agent from the portal 33 | #Go to the Advanced settings for the Log Analytics portal 34 | #Go to Data\Syslog settings 35 | 36 | #On vault server enable the syslog audit device to a facility 37 | vault audit enable syslog tag="vault" facility="LOCAL7" 38 | 39 | #Run the following query on Logs 40 | Syslog 41 | | where Facility == "local7" 42 | 43 | #Add some entries to the audit log 44 | vault secrets list 45 | vault kv put secret/audittest secret=mysecret 46 | vault kv get secret/audittest 47 | 48 | #View file contents 49 | sudo cat /var/log/vault/vault_audit.log | jq 50 | 51 | sudo tail -1 /var/log/vault/vault_audit2.log | jq 52 | 53 | sudo tail -1 /var/log/vault/vault_audit2.log | jq -r .response.data.secret 54 | 55 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 56 | --data '{"input": "mysecret"}' $VAULT_ADDR/v1/sys/audit-hash/file2 | jq -r .data.hash 57 | 58 | #Disable original path 59 | vault audit disable file 60 | 61 | #Linux 62 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request DELETE \ 63 | $VAULT_ADDR/v1/sys/audit/file1 64 | 65 | #For Windows 66 | Invoke-WebRequest -Method Delete -Uri $env:VAULT_ADDR/v1/sys/audit/file1 ` 67 | -UseBasicParsing -Headers $headers 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /m3/m3-mysqlengine.sh: -------------------------------------------------------------------------------- 1 | ################# Setting environment variables ###################### 2 | #Skip if you've already done this in the current session 3 | #Set env variable 4 | #For Linux/MacOS 5 | export VAULT_ADDR=http://127.0.0.1:8200 6 | #For Windows 7 | $env:VAULT_ADDR = "http://127.0.0.1:8200" 8 | 9 | ################# Enable database secrets engine ###################### 10 | #You are going to need an instance of MySQL running somewhere. I use 11 | #the Bitnami image on Azure, but you could do it locally instead. You 12 | #will need to open port 3306 on the remote instance to let Vault talk 13 | #to it properly 14 | 15 | #Enable the database secrets engine 16 | vault secrets enable database 17 | 18 | #Change to your public IP address if you're using a remote 19 | #MySQL instance 20 | 21 | #SSH into the MySQL instance and run the follow commands. 22 | 23 | #Configure MySQL roles and permissions 24 | mysql -u root -p 25 | CREATE ROLE 'dev-role'; 26 | CREATE USER 'vault'@'' IDENTIFIED BY 'AsYcUdOP426i'; 27 | CREATE DATABASE devdb; 28 | GRANT ALL ON *.* TO 'vault'@''; 29 | GRANT GRANT OPTION ON devdb.* TO 'vault'@''; 30 | 31 | #Change to the IP address of the MySQL server 32 | #Configure the MySQL plugin 33 | vault write database/config/dev-mysql-database \ 34 | plugin_name=mysql-database-plugin \ 35 | connection_url="{{username}}:{{password}}@tcp(MY_SQL_IP:3306)/" \ 36 | allowed_roles="dev-role" \ 37 | username="vault" \ 38 | password="AsYcUdOP426i" 39 | 40 | #Configure a role to be used 41 | vault write database/roles/dev-role \ 42 | db_name=dev-mysql-database \ 43 | creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT ALL ON devdb.* TO '{{name}}'@'%';" \ 44 | default_ttl="1h" \ 45 | max_ttl="24h" 46 | 47 | #Generate credentials on the DB from the role 48 | vault read database/creds/dev-role 49 | 50 | #Validate that the user has been created on MySQL and that the proper 51 | #permissions have been applied 52 | SELECT User FROM mysql.user; 53 | SHOW GRANTS FOR 'username'; 54 | 55 | #Renew the lease 56 | vault lease renew -increment=3600 database/creds/dev-role/LEASE_ID 57 | 58 | vault lease renew -increment=96400 database/creds/dev-role/LEASE_ID 59 | 60 | #Revoke the lease 61 | vault lease revoke database/creds/dev-role/LEASE_ID 62 | 63 | -------------------------------------------------------------------------------- /m3/m3-secretengine.sh: -------------------------------------------------------------------------------- 1 | ####################### Adding a Secrets Engine ########################### 2 | #Enable a new secrets engine path 3 | vault secrets enable -path=dev-a kv 4 | 5 | #Linux 6 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 7 | --data @dev-b.json $VAULT_ADDR/v1/sys/mounts/dev-b 8 | #For Windows 9 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/sys/mounts/dev-b ` 10 | -UseBasicParsing -Headers $headers -Body (get-content dev-b.json) 11 | 12 | #View the secrets engine paths 13 | vault secrets list 14 | vault secrets list -format=json 15 | 16 | #Linux 17 | curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/sys/mounts 18 | 19 | #For Windows 20 | Invoke-WebRequest -Method Get -Uri $env:VAULT_ADDR/v1/sys/mounts ` 21 | -UseBasicParsing -Headers $headers 22 | 23 | #Add secrets to the new secrets engine path 24 | vault kv put dev-a/arthur love=trillian friend=ford 25 | vault kv get dev-a/arthur 26 | 27 | #Alternate command 28 | vault write dev-a/arthur enemy=zaphod 29 | vault read dev-a/arthur 30 | 31 | #Move the secrets engine path 32 | vault secrets move dev-a dev-a-moved 33 | 34 | #Linux 35 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 36 | --data @dev-b-moved.json $VAULT_ADDR/v1/sys/remount 37 | 38 | #For Windows 39 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/sys/remount ` 40 | -UseBasicParsing -Headers $headers -Body (get-content dev-b-moved.json) 41 | 42 | vault secrets list 43 | vault read dev-a-moved/arthur 44 | 45 | #Upgrade the secrets engine to v2 46 | vault kv enable-versioning dev-a-moved 47 | 48 | #Linux 49 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 50 | --data @dev-b-moved-v2.json $VAULT_ADDR/v1/sys/mounts/dev-b-moved/tune 51 | 52 | curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/sys/mounts/dev-b-moved/tune 53 | 54 | #For Windows 55 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/sys/mounts/dev-b-moved/tune ` 56 | -UseBasicParsing -Headers $headers -Body (get-content dev-b-moved-v2.json) 57 | 58 | Invoke-WebRequest -Method Get -Uri $env:VAULT_ADDR/v1/sys/mounts/dev-b-moved/tune ` 59 | -UseBasicParsing -Headers $headers 60 | 61 | #Create a new secrets engine on v2 62 | vault secrets enable -path=dev-c -version=2 kv 63 | 64 | #Disable the secrets engine 65 | vault secrets disable dev-a 66 | 67 | #Linux 68 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request DELETE \ 69 | $VAULT_ADDR/v1/sys/mounts/dev-b-moved 70 | 71 | #For Windows 72 | Invoke-WebRequest -Method Delete -Uri $env:VAULT_ADDR/v1/sys/mounts/dev-b-moved ` 73 | -UseBasicParsing -Headers $headers 74 | 75 | vault secrets list -format=json 76 | 77 | 78 | 79 | -------------------------------------------------------------------------------- /m2/m2-secrets.sh: -------------------------------------------------------------------------------- 1 | ################# Installing Vault ########################## 2 | 3 | #For Windows 4 | $vaultVersion = "1.0.1" 5 | Invoke-WebRequest -Uri https://releases.hashicorp.com/vault/$vaultVersion/vault_$($vaultVersion)_windows_amd64.zip -OutFile .\vault_$($vaultVersion)_windows_amd64.zip 6 | Expand-Archive .\vault_$($vaultVersion)_windows_amd64.zip 7 | cd .\vault_$($vaultVersion)_windows_amd64 8 | #Copy vault executable to a location include in your path variable 9 | 10 | #For Linux 11 | VAULT_VERSION="1.0.1" 12 | wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip 13 | 14 | #Install unzip if necessary 15 | sudo apt install unzip -y 16 | unzip vault_${VAULT_VERSION}_linux_amd64.zip 17 | sudo chown root:root vault 18 | sudo mv vault /usr/local/bin/ 19 | 20 | ################# Starting the Dev server ###################### 21 | 22 | #Start the Dev server for vault 23 | vault server -dev 24 | 25 | #Set env variable 26 | #For Linux/MacOS 27 | export VAULT_ADDR=http://127.0.0.1:8200 28 | export VAULT_TOKEN=AddYourVaultTokenHere 29 | 30 | #For Windows 31 | $env:VAULT_ADDR = "http://127.0.0.1:8200" 32 | $env:VAULT_TOKEN = "AddYourVaultTokenHere" 33 | $headers = @{ 34 | "X-Vault-Token" = $env:VAULT_TOKEN 35 | } 36 | 37 | #Log into the vault server 38 | #Use the root token from the output 39 | vault login 40 | 41 | ############## Basic Secret Commands for KV ###################### 42 | 43 | #Write a secret 44 | vault kv put secret/hg2g answer=42 45 | #For Linux 46 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 47 | --data @marvin.json $VAULT_ADDR/v1/secret/data/marvin 48 | #For Windows 49 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/secret/data/marvin ` 50 | -UseBasicParsing -Headers $headers -Body (get-content marvin.json) 51 | 52 | #Get a secret 53 | vault kv get secret/hg2g 54 | 55 | #For Linux 56 | #Install jq if necessary 57 | sudo apt install jq -y 58 | curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/secret/data/marvin | jq 59 | 60 | #For Windows 61 | Invoke-WebRequest -Method Get -Uri $env:VAULT_ADDR/v1/secret/data/marvin ` 62 | -UseBasicParsing -Headers $headers 63 | 64 | #Put a new secret in and a new value for an existing secret 65 | vault kv put secret/hg2g answer=54 ford=prefect 66 | vault kv get secret/hg2g 67 | 68 | #Delete the secrets 69 | vault kv delete secret/hg2g 70 | vault kv get secret/hg2g 71 | 72 | #For Linux 73 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request DELETE $VAULT_ADDR/v1/secret/data/marvin 74 | 75 | #For Windows 76 | Invoke-WebRequest -Method Delete -Uri $env:VAULT_ADDR/v1/secret/data/marvin ` 77 | -UseBasicParsing -Headers $headers 78 | 79 | 80 | 81 | -------------------------------------------------------------------------------- /m4/m4-azuresecrets.sh: -------------------------------------------------------------------------------- 1 | # LINUX 2 | az account show --subscription MAS 3 | 4 | export AZURE_SUBSCRIPTION_ID="" 5 | export AZURE_TENANT_ID="" 6 | 7 | #Create an Service Principal and grant owner rights on the subscription 8 | az ad sp create-for-rbac --name http://vault-hugs --role contributor --scopes /subscriptions/SUB_ID 9 | 10 | #Set the variables 11 | export AZURE_CLIENT_ID="" 12 | export AZURE_CLIENT_SECRET="" 13 | 14 | #Now enable the Azure auth method 15 | vault auth enable azure 16 | 17 | #Configure the Azure auth method 18 | vault write auth/azure/config \ 19 | tenant_id=$AZURE_TENANT_ID \ 20 | resource=https://management.azure.com/ \ 21 | client_id=$AZURE_CLIENT_ID \ 22 | client_secret=$AZURE_CLIENT_SECRET 23 | 24 | #Create a web kv store 25 | vault secrets enable -path=webkv kv 26 | vault kv put webkv/webpass password=hugs-for-all 27 | 28 | #Create a web policy 29 | vault policy write web webpol.hcl 30 | 31 | #Create role 32 | vault write auth/azure/role/web-role \ 33 | policies="web" \ 34 | bound_subscription_ids=$AZURE_SUBSCRIPTION_ID \ 35 | bound_resource_groups=HashiTalks 36 | 37 | #On web server 38 | sudo apt update 39 | sudo apt install nginx jq -y 40 | sudo ufw allow 'Nginx HTTP' 41 | export VAULT_ADDR=https://vault.azslab.us:8200 42 | 43 | metadata=$(curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01") 44 | 45 | subscription_id=$(echo $metadata | jq -r .compute.subscriptionId) 46 | vm_name=$(echo $metadata | jq -r .compute.name) 47 | resource_group_name=$(echo $metadata | jq -r .compute.resourceGroupName) 48 | 49 | response=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s) 50 | 51 | jwt=$(echo $response | jq -r .access_token) 52 | 53 | cp auth_payload.json auth_payload_complete.json 54 | 55 | sed -i "s/ROLE_NAME_STRING/web-role/g" auth_payload_complete.json 56 | sed -i "s/JWT_STRING/$jwt/g" auth_payload_complete.json 57 | sed -i "s/SUBSCRIPTION_ID_STRING/$subscription_id/g" auth_payload_complete.json 58 | sed -i "s/RESOURCE_GROUP_NAME_STRING/$resource_group_name/g" auth_payload_complete.json 59 | sed -i "s/VM_NAME_STRING/$vm_name/g" auth_payload_complete.json 60 | 61 | login=$(curl --request POST --data @auth_payload_complete.json $VAULT_ADDR/v1/auth/azure/login) 62 | 63 | export VAULT_TOKEN=$(echo $login | jq -r .auth.client_token) 64 | 65 | webpass=$(curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/webkv/webpass | jq -r .data.password) 66 | 67 | cat <~/index.html 68 | 69 | 70 | Welcome to HashiTalks! 71 | 72 | 73 |

The secret passphrase is: $webpass

74 | 75 | 76 | EOM 77 | 78 | sudo cp ~/index.html /var/www/html/index.html 79 | sudo systemctl restart nginx -------------------------------------------------------------------------------- /m4/m4-basicauth.sh: -------------------------------------------------------------------------------- 1 | ################# Starting the Dev server ###################### 2 | ## Skip this part if you've already done module 3 and left the 3 | ## Dev server running 4 | 5 | #Start the Dev server for vault 6 | vault server -dev 7 | 8 | #Set env variable 9 | #For Linux/MacOS 10 | export VAULT_ADDR=http://127.0.0.1:8200 11 | export VAULT_TOKEN=AddYourVaultTokenHere 12 | 13 | #For Windows 14 | $env:VAULT_ADDR = "http://127.0.0.1:8200" 15 | $env:VAULT_TOKEN = "AddYourVaultTokenHere" 16 | $headers = @{ 17 | "X-Vault-Token" = $env:VAULT_TOKEN 18 | } 19 | 20 | #Log into the vault server 21 | #Use the root token from the output 22 | vault login 23 | 24 | #List the current auth methods 25 | vault auth list 26 | 27 | #Enable userpass auth method 28 | vault auth enable userpass 29 | 30 | #Linux 31 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 32 | --data '{"type": "userpass"}' $VAULT_ADDR/v1/sys/auth/userpass 33 | 34 | #For Windows 35 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/sys/auth/userpass ` 36 | -UseBasicParsing -Headers $headers -Body '{"type": "userpass"}' 37 | 38 | #Explore the userpass auth method 39 | vault path-help auth/userpass 40 | 41 | #Add a user to the userpass auth method 42 | vault write auth/userpass/users/arthur password=dent 43 | 44 | #Linux 45 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 46 | --data @ford.json $VAULT_ADDR/v1/auth/userpass/users/ford 47 | 48 | #For Windows 49 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/auth/userpass/users/ford ` 50 | -UseBasicParsing -Headers $headers -Body (get-content ford.json) 51 | 52 | vault list auth/userpass/users 53 | 54 | #Linux 55 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request LIST \ 56 | $VAULT_ADDR/v1/auth/userpass/users 57 | 58 | #For Windows 59 | Invoke-WebRequest -Method List -Uri $env:VAULT_ADDR/v1/auth/userpass/users ` 60 | -UseBasicParsing -Headers $headers 61 | 62 | #Start a second session 63 | vault login -method=userpass username=arthur 64 | 65 | vault token lookup 66 | 67 | #Linux 68 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 69 | --data '{"username": "ford", "password": "prefect"}' $VAULT_ADDR/v1/auth/userpass/login/ford 70 | 71 | #For Windows 72 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/auth/userpass/login/ford ` 73 | -UseBasicParsing -Headers $headers -Body '{"username": "ford", "password": "prefect"}' 74 | 75 | #Reset password 76 | vault write auth/userpass/users/arthur/password password=tricia 77 | 78 | #Linux 79 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 80 | --data '{"password": "zaphod"}' $VAULT_ADDR/v1/auth/userpass/users/ford/password 81 | 82 | #For Windows 83 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/auth/userpass/users/ford ` 84 | -UseBasicParsing -Headers $headers -Body '{"password": "zaphod"}' 85 | 86 | #Remove account 87 | vault delete auth/userpass/users/arthur 88 | 89 | #Linux 90 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request DELETE \ 91 | $VAULT_ADDR/v1/auth/userpass/users/ford 92 | 93 | #For Windows 94 | Invoke-WebRequest -Method Delete -Uri $env:VAULT_ADDR/v1/auth/userpass/users/ford ` 95 | -UseBasicParsing -Headers $headers 96 | 97 | -------------------------------------------------------------------------------- /m3/m3-secretslifecycle.sh: -------------------------------------------------------------------------------- 1 | ################# Starting the Dev server ###################### 2 | ## Skip this part if you've already done module 2 and left the 3 | ## Dev server running 4 | 5 | #Start the Dev server for vault 6 | vault server -dev 7 | 8 | #Set env variable 9 | #For Linux/MacOS 10 | export VAULT_ADDR=http://127.0.0.1:8200 11 | export VAULT_TOKEN=AddYourVaultTokenHere 12 | 13 | #For Windows 14 | $env:VAULT_ADDR = "http://127.0.0.1:8200" 15 | $env:VAULT_TOKEN = "AddYourVaultTokenHere" 16 | $headers = @{ 17 | "X-Vault-Token" = $env:VAULT_TOKEN 18 | } 19 | 20 | #Log into the vault server 21 | #Use the root token from the output 22 | vault login 23 | 24 | ############## Advanced Secret Commands for KV #################### 25 | 26 | #Write a secret 27 | vault kv put secret/hg2g answer=42 28 | #Put a new secret in and a new value for an existing secret 29 | vault kv put secret/hg2g answer=54 ford=prefect 30 | 31 | #Get it in JSON 32 | vault kv get -format=json secret/hg2g 33 | 34 | #Parse the output using jq 35 | vault kv get -format=json secret/hg2g | jq -r .data.data.answer 36 | 37 | #Get all the secrets in the path 38 | vault kv get secret/hg2g 39 | 40 | #Get all the version 1 secrets and version 2 41 | vault kv get -version=1 secret/hg2g 42 | vault kv get -version=2 secret/hg2g 43 | 44 | #For Linux 45 | curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/secret/data/hg2g?version=1 | jq .data.data 46 | 47 | #For Windows 48 | Invoke-WebRequest -Method Get -Uri $env:VAULT_ADDR/v1/secret/data/hg2g?version=1 ` 49 | -UseBasicParsing -Headers $headers 50 | 51 | #Delete a secrets 52 | vault kv delete secret/hg2g 53 | vault kv get secret/hg2g 54 | 55 | #For Linux 56 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request DELETE \ 57 | $VAULT_ADDR/v1/secret/data/hg2g 58 | 59 | #For Windows 60 | Invoke-WebRequest -Method Delete -Uri $env:VAULT_ADDR/v1/secret/data/hg2g ` 61 | -UseBasicParsing -Headers $headers 62 | 63 | vault kv get -version=1 secret/hg2g 64 | 65 | #Undelete a secret 66 | vault kv undelete -versions=2 secret/hg2g 67 | 68 | #For Linux 69 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 70 | $VAULT_ADDR/v1/secret/undelete/hg2g --data '{"versions": [2]}' 71 | 72 | #For Windows 73 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/secret/undelete/hg2g ` 74 | -UseBasicParsing -Headers $headers -Body '{"versions": [2]}' 75 | 76 | vault kv get secret/hg2g 77 | 78 | #Destroy the secrets 79 | vault kv destroy -versions=1,2 secret/hg2g 80 | vault kv get secret/hg2g 81 | 82 | #For Linux 83 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 84 | $VAULT_ADDR/v1/secret/destroy/hg2g --data '{"versions": [1,2]}' 85 | 86 | #For Windows 87 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/secret/destroy/hg2g ` 88 | -UseBasicParsing -Headers $headers -Body '{"versions": [1,2]}' 89 | 90 | #Remove all data about secrets 91 | vault kv metadata delete secret/hg2g 92 | vault kv get secret/hg2g 93 | 94 | #For Linux 95 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request DELETE \ 96 | $VAULT_ADDR/v1/secret/metadata/hg2g 97 | 98 | #For Windows 99 | Invoke-WebRequest -Method Delete -Uri $env:VAULT_ADDR/v1/secret/metadata/hg2g ` 100 | -UseBasicParsing -Headers $headers -------------------------------------------------------------------------------- /m4/m4-activedirectory.sh: -------------------------------------------------------------------------------- 1 | #Export the Vault server running in AD environment 2 | export VAULT_ADDR=https://vault.globomantics.xyz:8200 3 | export VAULT_TOKEN=AddYourVaultTokenHere 4 | 5 | #For Windows 6 | $env:VAULT_ADDR = "https://vault.globomantics.xyz:8200" 7 | $env:VAULT_TOKEN = "AddYourVaultTokenHere" 8 | $headers = @{ 9 | "X-Vault-Token" = $env:VAULT_TOKEN 10 | } 11 | 12 | #Log into Vault server 13 | vault login 14 | 15 | #Create a new secrets engine kv path for devs 16 | vault secrets enable -path=devkv kv 17 | vault kv put devkv/alldevs answer=42 18 | 19 | #Create a new policy for devs 20 | vault policy write dev devpol.hcl 21 | 22 | #Linux 23 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request PUT \ 24 | --data @devpol.json $VAULT_ADDR/v1/sys/policies/acl/dev-clone 25 | 26 | #For Windows 27 | Invoke-WebRequest -Method Put -Uri $env:VAULT_ADDR/v1/sys/policies/acl/dev-clone ` 28 | -UseBasicParsing -Headers $headers -Body (get-content devpol.json) 29 | 30 | #List vault policies 31 | vault policy list 32 | 33 | #Linux 34 | curl --header "X-Vault-Token: $VAULT_TOKEN" \ 35 | $VAULT_ADDR/v1/sys/policy 36 | 37 | #For Windows 38 | Invoke-WebRequest -Method Get -Uri $env:VAULT_ADDR/v1/sys/policy ` 39 | -UseBasicParsing -Headers $headers 40 | 41 | #Put a secret that devs can't get 42 | vault kv put secret/nodevs mchammer=canttouchthis 43 | 44 | #Enable the LDAP auth method 45 | vault auth enable ldap 46 | 47 | #Linux 48 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 49 | --data '{"type": "ldap"}' $VAULT_ADDR/v1/sys/auth/ldap 50 | 51 | #For Windows 52 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/sys/auth/ldap ` 53 | -UseBasicParsing -Headers $headers -Body '{"type": "ldap"}' 54 | 55 | vault write auth/ldap/config \ 56 | url="ldaps://adDC-0.globomantics.xyz:636" \ 57 | userattr="sAMAccountName" \ 58 | userdn="ou=Globo Users,dc=globomantics,dc=xyz" \ 59 | groupdn="ou=Globo Groups,dc=globomantics,dc=xyz" \ 60 | groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \ 61 | binddn="cn=vault-ldap,cn=Users,dc=globomantics,dc=xyz" \ 62 | bindpass='VerySecurePassword@123' \ 63 | groupattr="memberOf" \ 64 | certificate=@globomantics-adDC-0.pem \ 65 | insecure_tls=false \ 66 | starttls=true 67 | 68 | #Linux 69 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 70 | --data @ldap-config.json $VAULT_ADDR/v1/auth/ldap/config 71 | 72 | #For Windows 73 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/auth/ldap/config ` 74 | -UseBasicParsing -Headers $headers -Body (Get-Content ldap-config.json) 75 | 76 | vault write auth/ldap/groups/developers policies=dev 77 | 78 | #Start a second session 79 | vault login -method=ldap username=adent 80 | 81 | #Put a new secret in devkv and read the existing one 82 | vault kv put devkv/arthur ford=friend 83 | vault kv get devkv/arthur 84 | vault kv get devkv/alldevs 85 | 86 | #Put a new secret in the devkv appId path 87 | vault kv put devkv/appId-123 api-key=123 toast=good 88 | vault kv put devkv/appId-123 api-key=123 environment=toast 89 | vault kv put devkv/appId-123 api-key=123 environment=qa description="secret for appId 123" 90 | 91 | #Can't write to secret kv in general 92 | vault kv put secret/arthur dolphins=solong 93 | #Try to read a secret outside the devkv path 94 | vault kv get secret/nodevs 95 | 96 | #Get Arthur's entity ID 97 | vault token lookup 98 | vault kv put secret/b91442f7-ccaa-da11-52d7-b646a2e268fc/friends best=ford 99 | 100 | #Try to enumerate the secrets engines 101 | vault secrets list 102 | -------------------------------------------------------------------------------- /m5/m5-serveroperations.sh: -------------------------------------------------------------------------------- 1 | #Set env variable 2 | #For Linux/MacOS 3 | export VAULT_ADDR=https://vault-1.globomantics.xyz:8200 4 | export VAULT_TOKEN=AddYourVaultTokenHere 5 | 6 | #For Windows 7 | $env:VAULT_ADDR = "https://vault-1.globomantics.xyz:8200" 8 | $env:VAULT_TOKEN = "AddYourVaultTokenHere" 9 | $headers = @{ 10 | "X-Vault-Token" = $env:VAULT_TOKEN 11 | } 12 | 13 | #Initialize the new vault server 14 | vault operator init -status 15 | vault operator init 16 | 17 | #Check status 18 | vault status 19 | 20 | #Unseal vault server 21 | vault operator unseal 22 | 23 | #Linux 24 | curl --request PUT \ 25 | --data '{"key": "SHARE_KEY"}' $VAULT_ADDR/v1/sys/unseal | jq 26 | 27 | #For Windows 28 | Invoke-WebRequest -Method Put -Uri $env:VAULT_ADDR/v1/sys/unseal ` 29 | -UseBasicParsing -Body '{"key": "SHARE_KEY"}' 30 | 31 | #login into vault server 32 | vault login 33 | 34 | #Rotate the encryption key 35 | vault operator key-status 36 | vault operator rotate 37 | 38 | #Linux 39 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request PUT \ 40 | $VAULT_ADDR/v1/sys/rotate 41 | 42 | #For Windows 43 | Invoke-WebRequest -Method Put -Uri $env:VAULT_ADDR/v1/sys/rotate ` 44 | -UseBasicParsing -Headers $headers 45 | 46 | #Rekey the vault seal 47 | vault operator rekey -init -key-shares=3 -key-threshold=2 48 | 49 | #Linux 50 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request PUT \ 51 | --data '{"secret_shares": 5, "secret_threshold": 2}' $VAULT_ADDR/v1/sys/rekey/init | jq 52 | 53 | #For Windows 54 | Invoke-WebRequest -Method Put -Uri $env:VAULT_ADDR/v1/sys/rekey/init ` 55 | -UseBasicParsing -Headers $headers -Body '{"secret_shares": 5, "secret_threshold": 2}' 56 | 57 | vault operator rekey -status 58 | vault operator rekey 59 | 60 | #Linux 61 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request PUT \ 62 | --data '{"key": "SHARE_KEY", "nonce": "NONCE"}' $VAULT_ADDR/v1/sys/rekey/update | jq 63 | 64 | #For Windows 65 | Invoke-WebRequest -Method Put -Uri $env:VAULT_ADDR/v1/sys/rekey/update ` 66 | -UseBasicParsing -Headers $headers -Body '{"key": "SHARE_KEY", "nonce": "NONCE"}' 67 | 68 | #Rotate the root key 69 | vault operator generate-root -generate-otp 70 | 71 | #Linux 72 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request PUT \ 73 | $VAULT_ADDR/v1/sys/generate-root/attempt | jq 74 | 75 | #For Windows 76 | Invoke-WebRequest -Method Put -Uri $env:VAULT_ADDR/v1/sys/generate-root/attempt ` 77 | -UseBasicParsing -Headers $headers 78 | 79 | vault operator generate-root -init -otp="OTP_TOKEN" 80 | vault operator generate-root 81 | 82 | #Linux 83 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request PUT \ 84 | --data '{"key": "SHARE_KEY", "nonce": "NONCE"}' $VAULT_ADDR/v1/sys/generate-root/update | jq 85 | 86 | #For Windows 87 | Invoke-WebRequest -Method Put -Uri $env:VAULT_ADDR/v1/sys/generate-root/update ` 88 | -UseBasicParsing -Headers $headers -Body '{"key": "SHARE_KEY", "nonce": "NONCE"}' 89 | 90 | vault operator generate-root -decode="DECODE_TOKEN" -otp="OTP_TOKEN" 91 | 92 | #No equivalent operation in API, need to decode base64 string and XOR with OTP 93 | 94 | #Login with new root token 95 | vault login 96 | 97 | #Revoke the old root token 98 | vault token revoke ROOT_TOKEN 99 | 100 | #Linux 101 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 102 | --data '{"token": "OLD_TOKEN"}' $VAULT_ADDR/v1/auth/token/revoke 103 | 104 | #For Windows 105 | Invoke-WebRequest -Method Post -Uri $env:VAULT_ADDR/v1/auth/token/revoke ` 106 | -UseBasicParsing -Headers $headers -Body '{"token": "OLD_TOKEN"}' 107 | 108 | #Seal the vault for maintenance 109 | vault operator seal 110 | 111 | #Linux 112 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request PUT \ 113 | $VAULT_ADDR/v1/sys/seal 114 | 115 | #For Windows 116 | Invoke-WebRequest -Method Put -Uri $env:VAULT_ADDR/v1/sys/seal ` 117 | -UseBasicParsing -Headers $headers 118 | 119 | vault status 120 | 121 | --------------------------------------------------------------------------------