Vault from entry to proficiency series 2: Start the Vault server

News 2023-06-21 19:37:32 views: null

Vault from entry to proficiency series 2: Start the Vault server

Vault runs as a client-server application. The Vault server is the only Vault architecture that interacts with the data store and backend. All operations done through the Vault CLI interact with the server over a TLS connection.

In this blog, start and interact with a Vault server running in development mode.

1. Start the development server

Start the Vault server in development mode (development server). The development server is a built-in, pre-configured server that is not very secure but is useful for working with Vault locally.

vault server -dev

The output looks like this:

vault server -dev
==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
   Environment Variables: CLASSPATH, FLINK_HOME, GODEBUG, HADOOP_HOME, HISTFILE, HISTSIZE, HISTTIMEFORMAT, HIVE_HOME, HOME, HOSTNAME, JAVA_HOME, LANG, LESSOPEN, LOGNAME, LS_COLORS, MAIL, MONGODB_HOME, MSSQL_HOME, PATH, PROMPT_COMMAND, PWD, PYTHON3_HOME, QT_GRAPHICSSYSTEM, QT_GRAPHICSSYSTEM_CHECKED, SHELL, SHLVL, SPARK_HOME, SUDO_COMMAND, SUDO_GID, SUDO_UID, SUDO_USER, TERM, TMOUT, USER, USERNAME, VAULT_ADDR, XDG_SESSION_ID, ZOOKEEP_HOME, _
              Go Version: go1.20.4
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: 
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.13.3, built 2023-06-06T18:12:37Z
             Version Sha: 3bedf816cbf851656ae9e6bd65dd4a67a9ddff5e

==> Vault server started! Log data will stream in below:

2023-06-19T13:14:08.399+0800 [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2023-06-19T13:14:08.399+0800 [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2023-06-19T13:14:08.400+0800 [INFO]  core: Initializing version history cache for core
2023-06-19T13:14:08.400+0800 [INFO]  core: security barrier not initialized
2023-06-19T13:14:08.400+0800 [INFO]  core: security barrier initialized: stored=1 shares=1 threshold=1
2023-06-19T13:14:08.401+0800 [INFO]  core: post-unseal setup starting
2023-06-19T13:14:08.416+0800 [INFO]  core: loaded wrapping token key
2023-06-19T13:14:08.416+0800 [INFO]  core: successfully setup plugin catalog: plugin-directory=""
2023-06-19T13:14:08.416+0800 [INFO]  core: no mounts; adding default mount table
2023-06-19T13:14:08.417+0800 [INFO]  core: successfully mounted: type=cubbyhole version="v1.13.3+builtin.vault" path=cubbyhole/ namespace="ID: root. Path: "
2023-06-19T13:14:08.418+0800 [INFO]  core: successfully mounted: type=system version="v1.13.3+builtin.vault" path=sys/ namespace="ID: root. Path: "
2023-06-19T13:14:08.418+0800 [INFO]  core: successfully mounted: type=identity version="v1.13.3+builtin.vault" path=identity/ namespace="ID: root. Path: "
2023-06-19T13:14:08.420+0800 [INFO]  core: successfully mounted: type=token version="v1.13.3+builtin.vault" path=token/ namespace="ID: root. Path: "
2023-06-19T13:14:08.420+0800 [INFO]  rollback: starting rollback manager
2023-06-19T13:14:08.423+0800 [INFO]  core: restoring leases
2023-06-19T13:14:08.425+0800 [INFO]  expiration: lease restore complete
2023-06-19T13:14:08.426+0800 [INFO]  identity: entities restored
2023-06-19T13:14:08.426+0800 [INFO]  identity: groups restored
2023-06-19T13:14:08.426+0800 [INFO]  core: Recorded vault version: vault version=1.13.3 upgrade time="2023-06-19 05:14:08.426587913 +0000 UTC" build date=2023-06-06T18:12:37Z
2023-06-19T13:14:08.696+0800 [INFO]  core: post-unseal setup complete
2023-06-19T13:14:08.696+0800 [INFO]  core: root token generated
2023-06-19T13:14:08.696+0800 [INFO]  core: pre-seal teardown starting
2023-06-19T13:14:08.697+0800 [INFO]  rollback: stopping rollback manager
2023-06-19T13:14:08.697+0800 [INFO]  core: pre-seal teardown complete
2023-06-19T13:14:08.697+0800 [INFO]  core.cluster-listener.tcp: starting listener: listener_address=127.0.0.1:8201
2023-06-19T13:14:08.697+0800 [INFO]  core.cluster-listener: serving cluster requests: cluster_listen_address=127.0.0.1:8201
2023-06-19T13:14:08.697+0800 [INFO]  core: post-unseal setup starting
2023-06-19T13:14:08.697+0800 [INFO]  core: loaded wrapping token key
2023-06-19T13:14:08.697+0800 [INFO]  core: successfully setup plugin catalog: plugin-directory=""
2023-06-19T13:14:08.698+0800 [INFO]  core: successfully mounted: type=system version="v1.13.3+builtin.vault" path=sys/ namespace="ID: root. Path: "
2023-06-19T13:14:08.698+0800 [INFO]  core: successfully mounted: type=identity version="v1.13.3+builtin.vault" path=identity/ namespace="ID: root. Path: "
2023-06-19T13:14:08.698+0800 [INFO]  core: successfully mounted: type=cubbyhole version="v1.13.3+builtin.vault" path=cubbyhole/ namespace="ID: root. Path: "
2023-06-19T13:14:08.699+0800 [INFO]  core: successfully mounted: type=token version="v1.13.3+builtin.vault" path=token/ namespace="ID: root. Path: "
2023-06-19T13:14:08.699+0800 [INFO]  rollback: starting rollback manager
2023-06-19T13:14:08.699+0800 [INFO]  core: restoring leases
2023-06-19T13:14:08.700+0800 [INFO]  identity: entities restored
2023-06-19T13:14:08.700+0800 [INFO]  identity: groups restored
2023-06-19T13:14:08.700+0800 [INFO]  expiration: lease restore complete
2023-06-19T13:14:08.700+0800 [INFO]  core: post-unseal setup complete
2023-06-19T13:14:08.700+0800 [INFO]  core: vault is unsealed
2023-06-19T13:14:08.703+0800 [INFO]  core: successful mount: namespace="" path=secret/ type=kv version=""
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variables:

    $ export VAULT_ADDR='http://127.0.0.1:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: jp2vzZPjYufsXNsJsEFTuKHMJzvx2FvnC5M3H6+y3vc=
Root Token: hvs.WNSdITpoYX5HvRZWYyGjvZaj

Development mode should NOT be used in production installations!

The development server stores all its data in memory (but still encrypted), listens on localhost without TLS, and automatically unseals and shows you the unseal key and root access key.

2. Set environment variables

Start a new terminal session.

export VAULT_ADDR ...Copy and run the command from the terminal output. This will configure the Vault client to talk to the development server.

export VAULT_ADDR='http://127.0.0.1:8200'

The Vault CLI uses an environment variable to determine which Vault server sends the request VAULT_ADDR.

Save the unblocking key somewhere. Don't worry about how to store it safely. Now, just save it anywhere.

Set the environment variable value VAULT_TOKEN to the generated root token value shown in the terminal output.

export VAULT_TOKEN="hvs.6j4cuewowBGit65rheNoceI7"

To interact with Vault, a valid token must be provided. Setting this environment variable is one way to provide tokens to Vault through the CLI. In the authentication tutorial, you will learn to authenticate to Vault using the vault login <token_value> command.

3. Verify that the server is running

Verify that the server is running vault status by running the command. If the run was successful, the output should look like this:

vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.13.3
Build Date      2023-06-06T18:12:37Z
Storage Type    inmem
Cluster Name    vault-cluster-488bbee6
Cluster ID      6fd0289e-dd56-af7f-c188-6f8ea08e3f2e
HA Enabled      false

Four, vault command summary

When running Vault in development mode, the Key/Value v2 secrets engine is enabled under the secrets/ path. The Key/Value secrets engine is a general-purpose key-value store for storing arbitrary secrets in physical storage configured for Vault. Secrets written to Vault are encrypted and then written to backend storage. Therefore, the backend storage mechanism never sees the unencrypted value, nor does it have the necessary means to decrypt it without Vault.

There are versions 1 and 2 of the Key/Value confidentiality engine. The difference is that v2 provides confidential versioning, while v1 does not.

Use the vault kv [options] [args] command to interact with the K/V secrets engine.

Available subcommands:
insert image description here

Guess you like

Origin blog.csdn.net/zhengzaifeidelushang/article/details/131286740
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com