在hashicorp Vault中更新单个值

时间:2019-05-07 14:51:33

标签: json curl hashicorp-vault

我正在运行hashicorp保管库服务器,该服务器在向应用程序服务器提供机密和其他敏感信息方面非常有用。

秘密作为json对象存储在秘密中,应用程序检索并将它们解析为json对象

我面临的问题是我无法更新secrets文件中的单个值。谁能告诉我如何更新json格式的秘密文件中的单个值?

下面是我们拥有的示例机密文件

{
  "data": {
    "cloud.aws.credentials.accessKey": "AWS_KEY",
    "cloud.aws.credentials.secretKey": "akjdfhadsFADSFadsfadksbfadsfADSF123123",
    "cloud.aws.region.static": "AWS_REGION",
    "app.base.url": "http://app.env.abc:8080",
    "app.password": "ThisIsASamplePassword",
    "app.base.url": "http://localhost:7070/applicationname",
    "app.user.name": "this.is.a.sample"
  }
}

我们正在使用许多AWS Access密钥,并且我们的安全策略是每60天轮换一次密钥。

在Vault之前,我们使用bash脚本和aws cli命令进行轮换,但是我找不到在Vault中执行此操作的方法

通过vault kv get命令检索值,我得到

====== Metadata ======
Key              Value
---              -----
created_time     2019-05-08T08:29:59.3579731Z
deletion_time    n/a
destroyed        false
version          2

==== Data ====
Key     Value
---     -----
data    map[cloud.aws.credentials.accessKey:AWS_KEY cloud.aws.credentials.secretKey:akjdfhadsFADSFadsfadksbfadsfADSF123123 cloud.aws.region.static:AWS_REGION app.base.url:http://localhost:7070/applicationname app.password:ThisIsASamplePassword app.user.name:this.is.a.sample]

我已经尝试过patch命令,但这只会覆盖整个值或创建一个新的键/值。

Key              Value
---              -----
created_time     2019-05-08T08:33:57.5164447Z
deletion_time    n/a
destroyed        false
version          3
[ansible@ntt00app32 tmp]$ vault kv get secret/cms-service,devint
====== Metadata ======
Key              Value
---              -----
created_time     2019-05-08T08:33:57.5164447Z
deletion_time    n/a
destroyed        false
version          3

================= Data =================
Key                                Value
---                                -----
cloud.aws.credentials.accessKey    TEST_KEY
data                               map[cloud.aws.region.static:AWS_REGION app.base.url:http://localhost:7070/applicationname app.password:ThisIsASamplePassword app.user.name:this.is.a.sample cloud.aws.credentials.accessKey:AWS_KEY cloud.aws.credentials.secretKey:akjdfhadsFADSFadsfadksbfadsfADSF123123]```

any help in doing this will be much appreciated.

1 个答案:

答案 0 :(得分:0)

回答我自己的问题。使用cURL,JQ和一些bash脚本,可以很容易地更新秘密存储为json对象的hashicorp Vault中的单个值。

下面粘贴了原始脚本,可以将其修改为要求

#!/bin/bash

TOKEN="<TOKEN>"
VALUE_ONE="This"
VAULE_TWO="That"

# Retrieving secret
object=$(curl -s --header X-Vault-Token:$TOKEN http://127.0.0.1:8200/v1/secret/data/appname)

# Retrieving block that we are interested in (Optional)
new_object=$(echo $object | /usr/bin/jq -r '.data')

# Replacing First Value
replace_VALUE_ONE=$(echo $new_object | jq '.data."vaule.one" = '\"$VALUE_ONE\"'')

# Replacing Second Value
final=$(echo $replace_VALUE_ONE | jq '.data."vaule.two" = '\"$VAULE_TWO\"'')

# Updating the Vault
curl --header X-Vault-Token:$TOKEN  --request POST --data "$final"  http://127.0.0.1:8200/v1/secret/data/appname

# Retrieving the secret again 
curl -s --header X-Vault-Token:$TOKEN  http://127.0.0.1:8200/v1/secret/data/appname
相关问题
最新问题