我不知道我做错了什么。
但是这是我的配置。
// payload.json
{
"plugin_name": "postgresql-database-plugin",
"allowed_roles": "*",
"connection_url": "postgresql://{{username}}:{{password}}@for-testing-vault.rds.amazonaws.com:5432/test-app",
"username": "test",
"password": "testtest"
}
然后运行此命令:
curl --header "X-Vault-Token: ..." --request POST --data @payload.json http://ip_add.us-west-1.compute.amazonaws.com:8200/v1/database/config/postgresql
角色配置:
// readonlypayload.json
{
"db_name": "test-app",
"creation_statements": ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"],
"default_ttl": "1h",
"max_ttl": "24h"
}
然后运行此命令:
curl --header "X-Vault-Token: ..." --request POST --data @readonlypayload.json http://ip_add.us-west-1.compute.amazonaws.com:8200/v1/database/roles/readonly
然后创建了一个策略:
path "database/creds/readonly" {
capabilities = [ "read" ]
}
path "/sys/leases/renew" {
capabilities = [ "update" ]
}
并运行它以获取令牌:
curl --header "X-Vault-Token: ..." --request POST --data '{"policies": ["db_creds"]}' http://ip_add.us-west-1.compute.amazonaws.com:8200/v1/auth/token/create | jq
执行此命令以获取值:
VAULT_TOKEN=... consul-template.exe -template="config.yml.tpl:config.yml" -vault-addr "http://ip_add.us-west-1.compute.amazonaws.com:8200" -log-level debug
然后我收到此错误:
URL: GET http://ip_add.us-west-1.compute.amazonaws.com:8200/v1/database/creds/readonly
Code: 500. Errors:
* 1 error occurred:
* failed to find entry for connection with name: "test-app"
任何建议将不胜感激,谢谢!
编辑:也在服务器上尝试了此命令vault read database/creds/readonly
仍在返回
* 1 error occurred:
* failed to find entry for connection with name: "test-app"
对于那些通过Google搜索此错误消息的用户,这可能会有所帮助:
不幸的是,Vault数据库/角色的参数db_name
有点误导。该值需要匹配database/config/
条目,而不是实际的数据库名称。 GRANT语句本身就是与数据库名称相关的地方,db_name
只是对配置名称的引用,该名称可能与数据库名称匹配,也可能不匹配。 (就我而言,配置中还有其他数据,例如环境以数据库名称作为前缀。)