Vault — Commands & Recipes
Setup & Init
# Dev mode (testing only!)
vault server -dev
# Production init
vault operator init -key-shares=5 -key-threshold=3
# Unseal (3 of 5 keys)
vault operator unseal <key1>
vault operator unseal <key2>
vault operator unseal <key3>
# Login
export VAULT_ADDR="https://vault.example.com:8200"
vault login <root-token>
KV Secrets
# Enable KV v2
vault secrets enable -path=secret kv-v2
# Write secret
vault kv put secret/myapp/db username="admin" password="s3cr3t"
# Read secret
vault kv get secret/myapp/db
vault kv get -field=password secret/myapp/db
# List secrets
vault kv list secret/myapp/
Dynamic Database Secrets
# Enable database engine
vault secrets enable database
# Configure PostgreSQL
vault write database/config/mydb \
plugin_name=postgresql-database-plugin \
allowed_roles="readonly" \
connection_url="postgresql://{{username}}:{{password}}@db:5432/mydb?sslmode=disable" \
username="vault_admin" \
password="vault_pass"
# Create role (dynamic creds with 1h TTL)
vault write database/roles/readonly \
db_name=mydb \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="24h"
# Get dynamic credentials (a new user every time!)
vault read database/creds/readonly
Kubernetes Auth
# Enable K8s auth
vault auth enable kubernetes
# Configure
vault write auth/kubernetes/config \
kubernetes_host="https://kubernetes.default.svc"
# Create role for app
vault write auth/kubernetes/role/myapp \
bound_service_account_names=myapp \
bound_service_account_namespaces=default \
policies=myapp-policy \
ttl=1h
Transit (Encryption-as-a-Service)
# Enable Transit
vault secrets enable transit
# Create encryption key
vault write -f transit/keys/mykey
# Encrypt data
vault write transit/encrypt/mykey plaintext=$(echo -n "secret data" | base64)
# Decrypt data
vault write transit/decrypt/mykey ciphertext="vault:v1:..."
Sources