我正在运行hashicorp保管库服务器,该服务器在向应用程序服务器提供机密和其他敏感信息方面非常有用。
秘密作为json对象存储在秘密中,应用程序检索并将它们解析为json对象
我面临的问题是我无法更新secrets文件中的单个值。谁能告诉我如何更新json格式的秘密文件中的单个值?
下面是我们拥有的示例机密文件
{
"data": {
"cloud.aws.credentials.accessKey": "AWS_KEY",
"cloud.aws.credentials.secretKey": "akjdfhadsFADSFadsfadksbfadsfADSF123123",
"cloud.aws.region.static": "AWS_REGION",
"app.base.url": "http://app.env.abc:8080",
"app.password": "ThisIsASamplePassword",
"app.base.url": "http://localhost:7070/applicationname",
"app.user.name": "this.is.a.sample"
}
}
我们正在使用许多AWS Access密钥,并且我们的安全策略是每60天轮换一次密钥。
在Vault之前,我们使用bash脚本和aws cli命令进行轮换,但是我找不到在Vault中执行此操作的方法
通过vault kv get
命令检索值,我得到
====== Metadata ======
Key Value
--- -----
created_time 2019-05-08T08:29:59.3579731Z
deletion_time n/a
destroyed false
version 2
==== Data ====
Key Value
--- -----
data map[cloud.aws.credentials.accessKey:AWS_KEY cloud.aws.credentials.secretKey:akjdfhadsFADSFadsfadksbfadsfADSF123123 cloud.aws.region.static:AWS_REGION app.base.url:http://localhost:7070/applicationname app.password:ThisIsASamplePassword app.user.name:this.is.a.sample]
我已经尝试过patch
命令,但这只会覆盖整个值或创建一个新的键/值。
Key Value
--- -----
created_time 2019-05-08T08:33:57.5164447Z
deletion_time n/a
destroyed false
version 3
[ansible@ntt00app32 tmp]$ vault kv get secret/cms-service,devint
====== Metadata ======
Key Value
--- -----
created_time 2019-05-08T08:33:57.5164447Z
deletion_time n/a
destroyed false
version 3
================= Data =================
Key Value
--- -----
cloud.aws.credentials.accessKey TEST_KEY
data map[cloud.aws.region.static:AWS_REGION app.base.url:http://localhost:7070/applicationname app.password:ThisIsASamplePassword app.user.name:this.is.a.sample cloud.aws.credentials.accessKey:AWS_KEY cloud.aws.credentials.secretKey:akjdfhadsFADSFadsfadksbfadsfADSF123123]```
any help in doing this will be much appreciated.
答案 0 :(得分:0)
回答我自己的问题。使用cURL,JQ和一些bash脚本,可以很容易地更新秘密存储为json对象的hashicorp Vault中的单个值。
下面粘贴了原始脚本,可以将其修改为要求
#!/bin/bash
TOKEN="<TOKEN>"
VALUE_ONE="This"
VAULE_TWO="That"
# Retrieving secret
object=$(curl -s --header X-Vault-Token:$TOKEN http://127.0.0.1:8200/v1/secret/data/appname)
# Retrieving block that we are interested in (Optional)
new_object=$(echo $object | /usr/bin/jq -r '.data')
# Replacing First Value
replace_VALUE_ONE=$(echo $new_object | jq '.data."vaule.one" = '\"$VALUE_ONE\"'')
# Replacing Second Value
final=$(echo $replace_VALUE_ONE | jq '.data."vaule.two" = '\"$VAULE_TWO\"'')
# Updating the Vault
curl --header X-Vault-Token:$TOKEN --request POST --data "$final" http://127.0.0.1:8200/v1/secret/data/appname
# Retrieving the secret again
curl -s --header X-Vault-Token:$TOKEN http://127.0.0.1:8200/v1/secret/data/appname