我是 hashicorp 保险库的新手。我创建了一个 docker-compose 文件和一些其他文件来添加一些配置。我这样做是因为我不想在另一台计算机上运行时手动创建秘密和批准。仅供学习之用。
我已经尝试了 2 天,但我不知道自己做错了什么。 运行 docker-compose 后,我进入容器并运行这些命令:
这个运行没有任何问题。
/bin/sh docker-compose-configs/vault-config/init-vault.sh
但是在这个中,我得到一个错误
/ # 库列表 auth/approle/role 列出 auth/approle/role 时出错:发出 API 请求时出错。
网址:获取http://127.0.0.1:8200/v1/auth/approle/role?list=true 代码:403。错误:
这些是我的文件:
Docker 撰写:
version: '3'
services:
vault:
image: vault:latest
container_name: ticketflow-vault
ports:
- "8200:8200"
environment:
VAULT_DEV_ROOT_TOKEN_ID: ticketflow-token
VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
VAULT_ADDR: "http://127.0.0.1:8200"
cap_add:
- IPC_LOCK
restart: always
volumes:
- vault-data:/vault/file
- vault-logs:/vault/logs
- ./vault-config:/docker-compose-configs/vault-config
volumes:
vault-data:
vault-logs:
config.hcl:
storage "file" {
path = "/vault/file"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
ui = true
api_addr = "http://127.0.0.1:8200"
init-vault.sh:
#!/bin/sh
chmod +x /docker-compose-configs/vault-config/*.sh
/docker-compose-configs/vault-config/import-approle.sh
/docker-compose-configs/vault-config/import-secrets.sh
import-secrets.sh:
#!/bin/sh
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='ticketflow-token'
while true; do
vault_status=$(vault status -format=json)
if echo "$vault_status" | grep -q '"sealed": false'; then
break
fi
sleep 5
done
echo "Importing secrets..."
while read line; do
key=$(echo $line | cut -d '=' -f 1)
value=$(echo $line | cut -d '=' -f 2)
echo "Importing secret: authentication.$key"
vault kv put secret/ticketflow/development/authentication.$key value=$value
done < /docker-compose-configs/vault-config/secrets.txt
echo "Secrets imported successfully."
import-approle.sh:
#!/bin/sh
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='ticketflow-token'
vault auth enable approle
vault policy write ticketflow -<<EOT
path "secret/ticketflow/development/*" {
capabilities = ["read", "list"]
}
path "auth/approle/role/*" {
capabilities = ["read", "list", "create", "update"]
}
path "sys/policies/acl/*" {
capabilities = ["read"]
}
EOT
vault write auth/approle/role/ticketflow \
token_policies="ticketflow" \
token_ttl=1h \
token_max_ttl=24h \
secret_id_num_uses=0 \
secret_id_ttl=0 \
token_num_uses=0 \
token_period=0
vault write auth/approle/role/ticketflow \
token_policies="ticketflow" \
token_ttl=1h \
token_max_ttl=24h
vault read auth/approle/role/ticketflow/role-id
vault write -f auth/approle/role/ticketflow/secret-id
secrets.txt:
client_secret=45edaa89-16cb-41e2-aee5-970ab971ee9c
client_id=Authentication-client
REALM=TicketFlow