Vault

6/4/2016 - 6:26 PM

$ vault read mysql/creds/readonly
Key            	Value
lease_id       	mysql/creds/readonly/5b31f548-f196-ee63-cea7-64f0a1c56e6b
lease_duration 	600
lease_renewable	true
password       	88eea4fd-b844-e4ae-5dbb-373bf4760475
username       	root-7d061d03-42

# Connect to MySQL
docker exec -it mysql mysql -u${generated_user} -p${generated_password}

mysql> SELECT User();
+----------------------------+
| User()                     |
+----------------------------+
| root-7d061d03-42@localhost |
+----------------------------+
1 row in set (0.00 sec)

mysql> SHOW GRANTS;
+-----------------------------------------------+
| Grants for root-7d061d03-42@%                 |
+-----------------------------------------------+
| GRANT SELECT ON *.* TO 'root-7d061d03-42'@'%' |
+-----------------------------------------------+
1 row in set (0.00 sec)

mysql> SELECT User, Host FROM mysql.user;
+------------------+------+
| User             | Host |
+------------------+------+
| root             | %    |
| root-7d061d03-42 | %    |
+------------------+------+
2 rows in set (0.01 sec)

mount-mysql.sh

# Authenticate using root token
vault auth $VAULT_TOKEN

# Mount the MySQL secret
vault mount mysql

# Create the mysql connection string
vault write mysql/config/connection \
    value="root:secret@tcp(mysql:3306)/"

# Set the lease properties
vault write mysql/config/lease \
  lease=10m \
  lease_max=1h
  
# Create a readonly role
vault write mysql/roles/readonly \
    sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"

mount-mysql.out

$ vault auth $VAULT_TOKEN
Successfully authenticated!
token: 8f357777-0b58-87ed-d54f-a56bb2d6f6ba
token_duration: 0
token_policies: [root]
$ vault mount mysql
Successfully mounted 'mysql' at 'mysql'!
$ vault mounts
Path        Type       Default TTL  Max TTL  Description
cubbyhole/  cubbyhole  n/a          n/a      per-token private secret storage
mysql/      mysql      system       system
secret/     generic    system       system   generic secret storage
sys/        system     n/a          n/a      system endpoints used for control, policy and debugging
$ vault write mysql/config/connection \
>     value="root:secret@tcp(mysql:3306)/"
Success! Data written to: mysql/config/connection
$ vault write mysql/config/lease \
>   lease=10m \
>   lease_max=1h
Success! Data written to: mysql/config/lease
$ vault write mysql/roles/readonly \
>     sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"
Success! Data written to: mysql/roles/readonly

initiate-vault.sh

# start vault
docker-compose up -d

# initiate vault
source ./scripts/initiate-vault.sh

initiate-vault.out

$ source scripts/initiate_vault.sh
Sealed: false
Key Shares: 1
Key Threshold: 1
Unseal Progress: 0
$ echo $VAULT_TOKEN
8f357777-0b58-87ed-d54f-a56bb2d6f6ba

docker-compose.yml

vault:
  container_name: vault
  image: dtestops/vault
  volumes:
    - ./vault.hcl:/etc/vault.hcl
  links:
    - "mysql:mysql"
  ports:
    - "8200:8200"
  command: "server -config=/etc/vault.hcl"
  environment:
    - VAULT_ADDR=http://127.0.0.1:8200
mysql:
  container_name: mysql
  image: mysql:5.7
  environment:
    - "MYSQL_ROOT_PASSWORD=secret"

Cacher is the code snippet organizer for pro developers

We empower you and your team to get more done, faster

Vault