已经设置了Hashicorp Vault docker容器,但是在使用生成的令牌而不是根令牌时似乎无法获取数据库凭据。
error occurred: permission denied
重新创建步骤:
我创建了最新的容器,获取了根令牌并用它进行身份验证。
运行以下命令:
export VAULT_ADDR='http://127.0.0.1:8200'
vault secrets enable database
vault auth enable approle
vault write sys/policy/test policy='path "database/roles/" {capabilities = ["create", "read", "update", "delete", "list"]} path "auth/approle/login" { capabilities = [ "create", "read" ]} path "database/creds/" {capabilities = ["create", "read", "update", "delete", "list"]} path "secret/dbcreds" {capabilities = ["create", "update", "read"]} path "sys/mounts/" {capabilities = [ "create", "read", "update", "delete", "list" ]} path "database/" { capabilities = [ "create", "read", "update", "delete", "list" ]}'
vault write database/config/mssql plugin_name="mssql-database-plugin" root_rotation_statements="ALTER LOGIN [{{username}}] WITH PASSWORD = '{{password}}'" connection_url="sqlserver://{{username}}:{{password}}@sql:1433" allowed_roles="*,test" username="***MY_USER***" password="***MY_PASS***"
vault write database/roles/Tenant_1 db_name=mssql creation_statements="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';USE [Tenant_1];CREATE USER [{{name}}] FOR LOGIN [{{name}}];ALTER ROLE [db_owner] ADD MEMBER [{{name}}];" default_ttl="1h" max_ttl="24h"
vault write auth/approle/role/test secret_id_ttl=0 token_num_uses=0 token_ttl=20m token_max_ttl=30m secret_id_num_uses=0 policies="default, test"
vault read auth/approle/role/test/role-id
vault write -f auth/approle/role/test/secret-id
vault write auth/approle/login role_id=***role_id*** secret_id=***secret_id***
vault secrets enable -version=2 kv
我还尝试将'vault write'替换为'vault kv put',并获得了所有命令的成功。
所以我使用标头调用GET http://127.0.0.1:8200/v1/database/creds/Tenant_1:
X-Vault-Token
**Root-Token**
有效。
如果我使用有效的角色/秘密ID调用POST http://127.0.0.1:8200/v1/auth/approle/login,我将成功获得令牌。但是,如果我尝试在GET调用中使用此令牌代替Root,则会拒绝授予权限。
在策略配置中,我觉得/ database / creds是策略的一部分。
如果我对生成的令牌进行令牌查找:
Key Value
--- -----
accessor PNe8WQiXnZvlFNEJekXO2es4
creation_time 1555517775
creation_ttl 20m
display_name approle
entity_id acc7558b-02b1-328d-4705-74f00ab9524b
expire_time 2019-04-17T16:36:15.6815637Z
explicit_max_ttl 0s
id s.iGkfsCUS6JX58SiDl8pfFN2K
issue_time 2019-04-17T16:16:15.6815627Z
meta map[role_name:test]
num_uses 0
orphan true
path auth/approle/login
policies [default test]
renewable true
ttl 16m35s
type service
对我好!!
有什么想法吗?
答案 0 :(得分:1)
好吧,这浪费了好几个小时,但是对于其他有类似问题的人都有解决方案。
我的策略从一开始就缺少/ *,因此即使令牌有效,也没有访问这些凭据的权限。