CLOVERšŸ€

That was when it all began.

Vault恮Sealļ¼Unseal恫恤恄恦見恦ćæ悋ļ¼ˆéžé–‹ē™ŗć‚µćƒ¼ćƒćƒ¼ć§ä½æć£ć¦ćæ悋ļ¼‰

恓悌ćÆ态ćŖć«ć‚’ć—ćŸćć¦ę›øć„ćŸć‚‚ć®ļ¼Ÿ

å‰ć«Vaultć‚’č©¦ć—ćŸę™‚ćÆ态開ē™ŗćƒ¢ćƒ¼ćƒ‰ć®ć‚µćƒ¼ćƒćƒ¼ć§ć—ćŸć€‚

Ubuntu Linux 20.04 LTSにVaultをインストールする - CLOVER🍀

今回ćÆ态開ē™ŗćƒ¢ćƒ¼ćƒ‰ć«ć›ćšć«ä½æć£ć¦ćæ恟恄ćØę€ć„ć¾ć™ć€‚

ćŖć‚“ć¦å‘¼ć‚“ć ć‚‰ć„ć„ć‹ć‚ć‹ć‚Šć¾ć›ć‚“ćŒć€ć“ć®ć‚Øćƒ³ćƒˆćƒŖćƒ¼ć®ć‚æć‚¤ćƒˆćƒ«ćØ恗恦ćÆ怌非開ē™ŗć‚µćƒ¼ćƒćƒ¼ć€ćØć—ć¦ćŠćć¾ć™ć€‚

ē’°å¢ƒ

ä»Šå›žć®ē’°å¢ƒćÆ态恓恔悉怂Ubuntu Linux 20.04 LTS恧恙怂

~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:        20.04
Codename:       focal


$ uname -srvmpio
Linux 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Vaultć‚’ć‚¤ćƒ³ć‚¹ćƒˆćƒ¼ćƒ«ć—ć¦čµ·å‹•ć™ć‚‹

Vaultć‚’ć‚¤ćƒ³ć‚¹ćƒˆćƒ¼ćƒ«ć—ć¾ć™ć€‚

$ curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
$ sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
$ sudo apt update
$ sudo apt install vault

今回ćÆ1.9.2ćŒć‚¤ćƒ³ć‚¹ćƒˆćƒ¼ćƒ«ć•ć‚Œć¾ć—ćŸć€‚

$ vault version
Vault v1.9.2 (f4c6d873e2767c0d6853b5d9ffc77b0d297bfbdf)

ć¾ćŸć€aptć§ć‚¤ćƒ³ć‚¹ćƒˆćƒ¼ćƒ«ć—ćŸćƒ•ć‚”ć‚¤ćƒ«ć«ćÆčØ­å®šćƒ•ć‚”ć‚¤ćƒ«ć‚„systemdć®ćƒ¦ćƒ‹ćƒƒćƒˆå®šē¾©ćƒ•ć‚”ć‚¤ćƒ«ć‚‚å…„ć£ć¦ć„ć‚‹ć®ć§ć€
今回ćÆ恓恔悉悒ä½æ恄恟恄ćØę€ć„ć¾ć™ć€‚

$ dpkg -L vault
/usr
/usr/bin
/usr/bin/vault
/etc
/etc/vault.d
/etc/vault.d/vault.env
/etc/vault.d/vault.hcl
/usr/lib
/usr/lib/systemd
/usr/lib/systemd/system
/usr/lib/systemd/system/vault.service

ęœ‰åŠ¹åŒ–ć—ć¦ć€čµ·å‹•ć€‚

$ sudo systemctl enable vault
$ sudo systemctl start vault

ćƒ­ć‚°ć‚’č¦‹ć¦ćæć¾ć™ć€‚

$ sudo journalctl -u vault --no-pager

ꊜē²‹ć€‚

 1꜈ 15 16:24:45 vault systemd[1]: Started "HashiCorp Vault - A tool for managing secrets".
 1꜈ 15 16:24:45 vault vault[1638]: ==> Vault server configuration:
 1꜈ 15 16:24:45 vault vault[1638]:                      Cgo: disabled
 1꜈ 15 16:24:45 vault vault[1638]:               Go Version: go1.17.5
 1꜈ 15 16:24:45 vault vault[1638]:               Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
 1꜈ 15 16:24:45 vault vault[1638]:                Log Level: info
 1꜈ 15 16:24:45 vault vault[1638]:                    Mlock: supported: true, enabled: true
 1꜈ 15 16:24:45 vault vault[1638]:            Recovery Mode: false
 1꜈ 15 16:24:45 vault vault[1638]:                  Storage: file
 1꜈ 15 16:24:45 vault vault[1638]:                  Version: Vault v1.9.2
 1꜈ 15 16:24:45 vault vault[1638]:              Version Sha: f4c6d873e2767c0d6853b5d9ffc77b0d297bfbdf
 1꜈ 15 16:24:45 vault vault[1638]: ==> Vault server started! Log data will stream in below:
 1꜈ 15 16:24:45 vault vault[1638]: 2022-01-15T16:24:45.526+0900 [INFO]  proxy environment: http_proxy="\"\"" https_proxy="\"\"" no_proxy="\"\""
 1꜈ 15 16:24:45 vault vault[1638]: 2022-01-15T16:24:45.526+0900 [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
 1꜈ 15 16:24:45 vault vault[1638]: 2022-01-15T16:24:45.588+0900 [INFO]  core: Initializing VersionTimestamps for core

systemdć®ćƒ¦ćƒ‹ćƒƒćƒˆå®šē¾©ćƒ•ć‚”ć‚¤ćƒ«ć‚’č¦‹ć¦ćæć¾ć™ć€‚

/etc/systemd/system/multi-user.target.wants/vault.service

[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3

[Service]
EnvironmentFile=/etc/vault.d/vault.env
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
LimitNOFILE=65536
LimitMEMLOCK=infinity

[Install]
WantedBy=multi-user.target

vault server -configć§čµ·å‹•ć—ć¦ć„ć¾ć™ć­ć€‚

$ vault server -config=[čØ­å®šćƒ•ć‚”ć‚¤ćƒ«]

ē’°å¢ƒå¤‰ę•°ćÆć€å®šē¾©ć•ć‚Œć¦ć„ć¾ć›ć‚“ć§ć—ćŸć€‚

/etc/vault.d/vault.env




čØ­å®šćƒ•ć‚”ć‚¤ćƒ«ćÆ态恓悓ćŖꄟ恘恧恗恟恭怂

/etc/vault.d/vault.hcl

# Full configuration options can be found at https://www.vaultproject.io/docs/configuration

ui = true

#mlock = true
#disable_mlock = true

storage "file" {
  path = "/opt/vault/data"
}

#storage "consul" {
#  address = "127.0.0.1:8500"
#  path    = "vault"
#}

# HTTP listener
#listener "tcp" {
#  address = "127.0.0.1:8200"
#  tls_disable = 1
#}

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

# Enterprise license_path
# This will be required for enterprise as of v1.8
#license_path = "/etc/vault.d/vault.hclic"

# Example AWS KMS auto unseal
#seal "awskms" {
#  region = "us-east-1"
#  kms_key_id = "REPLACE-ME"
#}

# Example HSM auto unseal
#seal "pkcs11" {
#  lib            = "/usr/vault/lib/libCryptoki2_64.so"
#  slot           = "0"
#  pin            = "AAAA-BBBB-CCCC-DDDD"
#  key_label      = "vault-hsm-key"
#  hmac_key_label = "vault-hsm-hmac-key"
#}

ć‚³ćƒ”ćƒ³ćƒˆć‚’å‰Šé™¤ć—ć¦č”Øē¤ŗ怂

$ grep -v '^#' /etc/vault.d/vault.hcl

ui = true


storage "file" {
  path = "/opt/vault/data"
}



listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}


ćƒ‡ćƒ•ć‚©ćƒ«ćƒˆć®čØ­å®šćƒ•ć‚”ć‚¤ćƒ«ć‚’čŖ­ć‚€ ļ¼† SSLļ¼TLS悒ē„”åŠ¹åŒ–ć™ć‚‹

ćƒ‡ćƒ•ć‚©ćƒ«ćƒˆć®čØ­å®šćƒ•ć‚”ć‚¤ćƒ«ć®å†…å®¹ć‚’ć€å°‘ć—čŖ­ć‚“恧ćæć¾ć—ć‚‡ć†ć€‚

恓恔悉ćÆć€ć‚¹ćƒˆćƒ¬ćƒ¼ć‚ø恮čØ­å®šć§ć™ć­ć€‚

Storage Backends - Configuration | Vault by HashiCorp

storage "file" {
  path = "/opt/vault/data"
}

ćƒ­ćƒ¼ć‚«ćƒ«ćƒ•ć‚”ć‚¤ćƒ«ć‚·ć‚¹ćƒ†ćƒ ć«ćƒ‡ćƒ¼ć‚æ悒äæå­˜ć™ć‚‹ć‚ˆć†ć«ę§‹ęˆć•ć‚Œć¦ć„ć¾ć™ć€‚

Filesystem - Storage Backends - Configuration | Vault by HashiCorp

ꬔćÆ态ćƒŖć‚¹ćƒŠćƒ¼ć€‚8200ćƒćƒ¼ćƒˆć€0.0.0.0恫åÆ¾ć—ć¦ćƒć‚¤ćƒ³ćƒ‰ć•ć‚Œć¦ć„ć¾ć™ć€‚

Listeners - Configuration | Vault by HashiCorp

listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

TCP悒ä½æć†ć‚ˆć†ć«ę§‹ęˆć•ć‚Œć¦ć„ć¾ć™ćŒć€ē¾ę™‚ē‚¹ć§Vault恧ä½æ恈悋ćƒŖć‚¹ćƒŠćƒ¼ć«ćÆ他恮éøęŠžč‚¢ćÆć‚ć‚Šć¾ć›ć‚“ć€‚

TCP - Listeners - Configuration | Vault by HashiCorp

ęœ€åˆć‹ć‚‰SSLļ¼TLSćŒęœ‰åŠ¹ć«ćŖć£ć¦ć„ć‚‹ć‚ˆć†ć§ć™ć€‚ć‚¤ćƒ³ć‚¹ćƒˆćƒ¼ćƒ«ę™‚ć®ę§˜å­ć‚’ć‚ˆćć‚ˆćč¦‹ć‚‹ćØ态čØ¼ę˜Žę›øćØē§˜åÆ†éµć‚’ä½œęˆć—ć¦ć„ć¾ć—ćŸć€‚

Generating Vault TLS key and self-signed certificate...                                                                                                                                 
Generating a RSA private key                                                                                                                                                            
.........++++                                                                                                                                                                           
...........++++                                                                                                                                                                         
writing new private key to 'tls.key'                                                                                                                                                    
-----                                                                                                                                                                                   
Vault TLS key and self-signed certificate have been generated in '/opt/vault/tls'.

ć¾ćŸć€Web UIć‚‚ęœ‰åŠ¹ć«ćŖć£ć¦ć„ć¾ć™ć€‚

UI - Configuration | Vault by HashiCorp

ui = true

ćØ恓悍恧态VaultćÆćƒ‡ćƒ•ć‚©ćƒ«ćƒˆć§SSLļ¼TLSćŒęœ‰åŠ¹ćŖēŠ¶ę…‹ć€ćØć„ć†č©±ć§ć—ćŸć€‚

listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

ć“ć®ćŸć‚ć€ć‚¢ć‚Æć‚»ć‚¹ć™ć‚‹éš›ć«ćÆHTTPS恫ćŖć‚Šć¾ć™ć€‚

$ export VAULT_ADDR=https://localhost:8200

ćŖć®ć§ć™ćŒć€ćć®ć¾ć¾ć ćØčØ¼ę˜Žę›ø恧ć‚Øćƒ©ćƒ¼ć«ćŖć‚Šć¾ć™ć€‚

$ vault status
Error checking seal status: Get "https://localhost:8200/v1/sys/seal-status": x509: certificate is not valid for any names, but wanted to match localhost

čØ¼ę˜Žę›øć®ćƒć‚§ćƒƒć‚Æć‚‚ć‚¹ć‚­ćƒƒćƒ—ć§ćć‚‹ć®ć§ć™ćŒ

$ vault status -tls-skip-verify
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            1.9.2
Storage Type       file
HA Enabled         false

čØ¼ę˜Žę›ø恮CN悒見悋ćØć€ć“ć‚Œć«åˆć‚ć›ć‚‹ć®ćÆć”ć‚‡ć£ćØ困難ćŖę°—ćŒć—ćŸć®ć§ā€¦ć€‚

$ sudo openssl x509 -text -noout -in /opt/vault/tls/tls.crt                                                                                                       
Certificate:                                                                                                                                                                            
    Data:                                                                                                                                                                               
        Version: 3 (0x2)                                                                                                                                                                
        Serial Number:                                                                                                                                                                  
            04:b7:cf:54:d5:cd:11:86:a4:53:e7:71:d9:11:8b:86:46:2e:ec:bc                                                                                                                 
        Signature Algorithm: sha256WithRSAEncryption                                                                                                                                    
        Issuer: O = HashiCorp, CN = Vault                                                                                                                                               
        Validity                                                                                                                                                                        
            Not Before: Jan  3 13:17:19 2022 GMT                                                                                                                                        
            Not After : Jan  2 13:17:19 2025 GMT                                                                                                                                        
        Subject: O = HashiCorp, CN = Vault

怜ēœē•„怜

ć‚µćƒ¼ćƒćƒ¼åć‚’vaultć«ć™ć‚Œć°ć„ć„ć‚“ć§ć™ć‘ć©ć­ć€‚

$ sudo curl --cacert /opt/vault/tls/tls.crt https://vault:8200/v1/sys/seal-status
{"type":"shamir","initialized":false,"sealed":true,"t":0,"n":0,"progress":0,"nonce":"","version":"1.9.2","migration":false,"recovery_seal":false,"storage_type":"file"}

ćŸć ć€ćƒ­ćƒ¼ć‚«ćƒ«ć§åå‰č§£ę±ŗ恧恍悋ēŠ¶ę…‹ć ćØvaultć‚³ćƒžćƒ³ćƒ‰ć§ćÆć”ć‚‡ć£ćØé›£ć—ć„ć®ć§

$ sudo vault status -ca-cert=/opt/vault/tls/tls.crt -tls-server-name=vault

今回ćÆtls_disable悒true恫恗恦SSLļ¼TLS悒ē„”åŠ¹ć«ć™ć‚‹ć“ćØć«ć—ć¾ć—ćŸć€‚

listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_disable   = "true"
  #tls_cert_file = "/opt/vault/tls/tls.crt"
  #tls_key_file  = "/opt/vault/tls/tls.key"
}

恓悌恧Vaultć‚’å†čµ·å‹•ć™ć‚‹ćØ

$ sudo systemctl restart vault

HTTPć§ć‚¢ć‚Æć‚»ć‚¹ć§ćć‚‹ć‚ˆć†ć«ćŖć‚Šć¾ć™ć€‚

$ export VAULT_ADDR=http://localhost:8200

ē¢ŗčŖć€‚

$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            1.9.2
Storage Type       file
HA Enabled         false

Sealļ¼Unseal

恧ćÆ态Vault悒ä½æć£ć¦ć„ććŸć„ć®ć§ć™ćŒć€é–‹ē™ŗćƒ¢ćƒ¼ćƒ‰ć®ę™‚ćÆćć®ć¾ć¾ć§ć‚‚ć‚¢ć‚Æć‚»ć‚¹ć§ćć¾ć—ćŸć€‚

今回ćÆ恩恆ćŖ恮恧恗悇恆ļ¼Ÿć‚¢ć‚Æć‚»ć‚¹ć—ć¦ćæ悋ćØ态怌Vault is sealed怍ćØčØ€ć‚ć‚Œę‹’å¦ć•ć‚Œć¾ć™ć€‚

$ vault secrets list
Error listing secrets engines: Error making API request.

URL: GET http://localhost:8200/v1/sys/mounts
Code: 503. Errors:

* Vault is sealed

ć‚ć‚‰ćŸć‚ć¦vault status悒見悋ćØ态Initialized恌false态Sealed恌true恫ćŖć£ć¦ć„ć¾ć™ć€‚

$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            1.9.2
Storage Type       file
HA Enabled         false

å‰ć®ć‚Øćƒ³ćƒˆćƒŖćƒ¼ļ¼ˆVault 1.9.1恧恙恌ļ¼‰ć§ćÆ态恠恄恶č”Øē¤ŗćŒé•ć„ć¾ć—ćŸć€‚ć€ŒUnseal怜怍ćØ恄恆項ē›®ć‚‚ć‚ć‚Šć¾ć›ć‚“ć­ć€‚

$ vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.9.1
Storage Type    inmem
Cluster Name    vault-cluster-5df6d588
Cluster ID      f82dde5c-7ecc-5e71-d7ba-f7b51c72f17e
HA Enabled      false

恓恓恧态怌Seal怍ćØ恄恆čØ€č‘‰ć«ć¤ć„ć¦čŖæć¹ć¦ćæć¾ć™ć€‚ć“ć”ć‚‰ć«čØ˜č¼‰ćŒć‚ć‚Šć¾ć—ćŸć€‚

Seal/Unseal | Vault by HashiCorp

SealćØ恄恆čØ€č‘‰ćÆć€Œå°å°ć€ć€åÆ¾ć«ćŖ悋UnsealćÆć€Œé–‹å°ć€ćŖ恩ćØčØ³ć›ć¾ć™ćŒć€ä»Šå›žćÆćć®ć¾ć¾ć€ŒSeal怍态怌Unseal怍ćØčØ˜č¼‰ć™ć‚‹ć“ćØć«ć—ć¾ć™ć€‚

ćƒ‰ć‚­ćƒ„ćƒ”ćƒ³ćƒˆć«ć‚ˆć‚‹ćØ态Sealļ¼UnsealćÆ恓恆恄恆悂恮ćæ恟恄恧恙怂

  • Vaultć®čµ·å‹•ę™‚ćÆSealedćŖēŠ¶ę…‹ć§ć€ćć®ć¾ć¾ć§ćÆ恻ćØć‚“ć©ę“ä½œć§ććŖ恄
    • ć‚¹ćƒ†ćƒ¼ć‚æć‚¹ć®ē¢ŗčŖćÆåÆčƒ½
  • UnsealingćØćÆć€ćƒ‡ćƒ¼ć‚æć®å¾©å·ć™ć‚‹ćŸć‚ć®ęš—å·åŒ–ć‚­ćƒ¼ć‚’čŖ­ćæå–ć‚‹ćŸć‚ć«åæ…要ćŖćƒžć‚¹ć‚æćƒ¼ć‚­ćƒ¼ć‚’å–å¾—ć—ć€Vaultćøć®ć‚¢ć‚Æć‚»ć‚¹čرåÆć‚’å¾—ć‚‹ćƒ—ćƒ­ć‚»ć‚¹ć®ć“ćØ悒ꌇ恙
    • UnsealćÆvault operator unsealć‚³ćƒžćƒ³ćƒ‰ć€ć¾ćŸćÆAPIć§č”Œć†
  • å†ć³SealćŖēŠ¶ę…‹ć«ć™ć‚‹ć«ćÆć€ę¬”ć®ć„ćšć‚Œć‹ć‚’č”Œć†ļ¼ˆć¾ćŸćÆꬔ恮ēŠ¶ę³ć«ć™ć‚‹ļ¼‰
    • API悒ä½æć£ć¦å†åŗ¦SealedćŖēŠ¶ę…‹ć«ć™ć‚‹
    • Vaultć‚’å†čµ·å‹•ć™ć‚‹
    • Vaultć®ć‚¹ćƒˆćƒ¬ćƒ¼ć‚øć«å›žå¾©äøčƒ½ćŖć‚Øćƒ©ćƒ¼ćŒē™ŗē”Ÿć™ć‚‹

ćƒ‰ć‚­ćƒ„ćƒ”ćƒ³ćƒˆćØ恗恦ćÆć€ć“ć®ć‚ćŸć‚Šć®å†…å®¹ć§ć™ć€‚

ć”ć‚‡ć£ćØéµć¾ć‚ć‚ŠćŒć‚ˆćć‚ć‹ć‚‰ćŖ恄恧恙恭怂

恩恆恗恦Sealļ¼Unseal恌åæ…要ćŖ恮恋ļ¼Ÿ

Vault恫äæå­˜ć•ć‚Œć‚‹ćƒ‡ćƒ¼ć‚æćÆęš—å·åŒ–ć•ć‚Œć¾ć™ćŒć€ćƒ‡ćƒ¼ć‚æć®å¾©å·ć«ćÆęš—å·åŒ–ć‚­ćƒ¼ćŒåæ…要恫ćŖć‚Šć¾ć™ć€‚ęš—å·åŒ–ć‚­ćƒ¼ć‚‚ļ¼ˆć‚­ćƒ¼ćƒŖćƒ³ć‚°ć«ļ¼‰ćƒ‡ćƒ¼ć‚æćØćØ悂恫
äæå­˜ć•ć‚Œć¾ć™ćŒć€ć“ć®ę™‚ć«ć€Œćƒžć‚¹ć‚æćƒ¼ć‚­ćƒ¼ć€ćØå‘¼ć°ć‚Œć‚‹åˆ„ć®ęš—å·åŒ–ć‚­ćƒ¼ć§ęš—å·åŒ–ć•ć‚Œć¾ć™ć€‚

ć¤ć¾ć‚Šć€ćƒ‡ćƒ¼ć‚æć‚’å¾©å·ć™ć‚‹ć«ćÆęš—å·åŒ–ć‚­ćƒ¼ćŒåæ…要恫ćŖć‚‹ć®ć§ć™ćŒć€ęš—å·åŒ–ć‚­ćƒ¼ć‚’ä½æ恆恫ćÆćƒžć‚¹ć‚æćƒ¼ć‚­ćƒ¼ć§å¾©å·ć™ć‚‹åæ…č¦ćŒć‚ć‚Šć¾ć™ć€‚

Seal/Unseal / Why?

恓恮éƒØåˆ†ć‚’čŖ­ćæé€²ć‚ć‚‹ćØā€¦

  • Vaultć®ćƒ‡ćƒ¼ć‚æćÆ态ļ¼ˆć‚­ćƒ¼ćƒŖćƒ³ć‚°ć®ļ¼‰ęš—å·åŒ–ć‚­ćƒ¼ć§ęš—å·åŒ–ć•ć‚Œć¦äæå­˜ć•ć‚Œć‚‹
  • ć‚­ćƒ¼ćƒŖćƒ³ć‚°ćÆćƒžć‚¹ć‚æćƒ¼ć‚­ćƒ¼ć«ć‚ˆć£ć¦ęš—å·åŒ–ć•ć‚Œć‚‹
  • UnsealćØćÆć€ćƒžć‚¹ć‚æćƒ¼ć‚­ćƒ¼ć«ć‚¢ć‚Æć‚»ć‚¹ć™ć‚‹ćƒ—ćƒ­ć‚»ć‚¹ć®ć“ćØ

ćØć„ć†č©±ć®ć‚ˆć†ć§ć™ć€‚ć•ć‚‰ć«ć€ćƒžć‚¹ć‚æćƒ¼ć‚­ćƒ¼ćÆUnsealć‚­ćƒ¼ćØć„ć†åˆ„ć®ć‚­ćƒ¼ć§ęš—å·åŒ–ć•ć‚Œć‚‹ćØ恋怂

ć¤ć¾ć‚Šć€ćƒ‡ćƒ¼ć‚æć‚’å¾©å·ć™ć‚‹ć«ćÆć‚­ćƒ¼ćŒ3ć¤é–¢ć‚ć‚‹ć“ćØ恫ćŖć‚Šć¾ć™ć€‚

Unsealć‚­ćƒ¼

Unsealć‚­ćƒ¼ćØ恄恆čØ€č‘‰ćŒå‡ŗć¦ćć¾ć—ćŸć€‚

VaultćÆćƒ‡ćƒ•ć‚©ćƒ«ćƒˆć§ćÆ怌Shamir seal怍ćØ恄恆悂恮悒ä½æ恆恝恆恧恙怂

Seal/Unseal / Shamir seals

恝恆恄恈恰态vault status恮č”Øē¤ŗ項ē›®ć®ć²ćØ恤恧恂悋怌Seal Typeć€ć«ćÆ态shamirćØč”Øē¤ŗć•ć‚Œć¦ć„ć¾ć—ćŸć€‚

$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true

怜ēœē•„怜

Shamir seal恧ćÆć€ć²ćØ恤恮Unsealć‚­ćƒ¼ć‚’ć€ŒShamir's Secret Sharing怍ćØć„ć†ć‚¢ćƒ«ć‚“ćƒŖć‚ŗćƒ ć§åˆ†å‰²ć—ć€ć‚­ćƒ¼ć‚’ć‚·ćƒ£ćƒ¼ćƒ‰ć«åˆ†å‰²ć—ć¾ć™ć€‚

Shamir's Secret Sharing - Wikipedia

ć“ć®ć‚¢ćƒ«ć‚“ćƒŖć‚ŗ惠恧ćÆ态Unsealć‚­ćƒ¼ć‚’å†ę§‹ēÆ‰ć™ć‚‹ćŸć‚ć«ćÆć—ćć„å€¤ä»„äøŠć®ć‚·ćƒ£ćƒ¼ćƒ‰ć‚’ęƒćˆć‚‹ć“ćØć§ćƒžć‚¹ć‚æćƒ¼ć‚­ćƒ¼ć‚’å¾©å·ć§ćć¾ć™ć€‚
恓悌恌Unsealćƒ—ćƒ­ć‚»ć‚¹ć«ćŖć‚Šć¾ć™ć­ć€‚

Vaultć‚µćƒ¼ćƒćƒ¼ć‚’åˆęœŸåŒ–ć€Unseal恗恦ćæ悋

ꖇē« ć ć‘恠ćØ态悈恏悏恋悉ćŖ恏ćŖć£ć¦ćć¾ć™ć­ć€‚
具体ēš„ćŖć‚³ćƒžćƒ³ćƒ‰ć§ć„ććØ态vault operator initćØć„ć†ć‚³ćƒžćƒ³ćƒ‰ć‚’å®Ÿč”Œć™ć‚‹ćØ态5恤恮Unsealć‚­ćƒ¼ćŒč”Øē¤ŗć•ć‚Œć¾ć™ć€‚

~$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            1.9.2
Storage Type       file
HA Enabled         false
vagrant@vault:~$ vault operator init
Unseal Key 1: QfLh5avL2PQsN7GhqL/6n95Cwd1i+t3bdn1tHIYVSv/4
Unseal Key 2: CbVDQTJqz7oG9Y666TPPlO13tZ+agG3zT/6IONoTQ4FP
Unseal Key 3: fPhXaJ4JSe0iwiRNiJP6OT9GiMyjEC2LV+Y+H44ofCTt
Unseal Key 4: 1UojewNxJ+Wvkc2j9wmLYwwfMSuEatsyyBAEESRzvzNW
Unseal Key 5: O8KMjcyY7zgbsSyfAaYSuv/dkVer3ffw+EyChGHRD0CD

Initial Root Token: s.S2VOE3cCpoQHS4HCFwhF2r2M

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 keys to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

vault operator initćÆ态Vaultć‚’åˆęœŸåŒ–ć™ć‚‹ć‚³ćƒžćƒ³ćƒ‰ć§ć€Vaultć‚µćƒ¼ćƒćƒ¼ļ¼ˆć‚Æćƒ©ć‚¹ć‚æćƒ¼ę§‹ęˆć§ć‚ć£ć¦ć‚‚ļ¼‰ć«åÆ¾ć—ć¦1åŗ¦ć ć‘å®Ÿč”Œć§ćć¾ć™ć€‚

operator init - Command | Vault by HashiCorp

恓恓恧态vault status悒見恦ćæć¾ć™ć€‚Initialized恌true恫ćŖć‚Šć¾ć—ćŸć€‚

$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    0/3
Unseal Nonce       n/a
Version            1.9.2
Storage Type       file
HA Enabled         false

ć¾ćŸć€ŒTotal Shares怍恌5恫ćŖ悊态怌Threshold怍ćÆ3恧恙恌态恓悌ćÆć‚·ćƒ£ćƒ¼ćƒ‰åˆ†å‰²ć•ć‚ŒćŸUnsealć‚­ćƒ¼ć®ę•°ćØ态Unsealć™ć‚‹ćŸć‚ć«åæ…要ćŖć—ćć„å€¤ć‚’
č”Øć—ć¾ć™ć€‚

ćØ恓悍恧怌Initial Root Token怍ćØć„ć†ć‚‚ć®ćŒč”Øē¤ŗć•ć‚Œć¦ć„ć¾ć—ćŸćŒć€ćƒˆćƒ¼ć‚Æćƒ³ćÆćƒ­ć‚°ć‚¤ćƒ³ć«ä½æć„ć¾ć™ć€‚ć§ć™ćŒć€ć“ć‚ŒćÆć¾ć ä½æćˆć¾ć›ć‚“ć€‚

$ vault login
Token (will be hidden): 
Error authenticating: error looking up token: Error making API request.

URL: GET http://localhost:8200/v1/auth/token/lookup-self
Code: 503. Errors:

* Vault is sealed

ęœ€åˆć«Unseal恙悋恓ćØ恌åæ…要恧恙怂

vault operator unsealćØć„ć†ć‚³ćƒžćƒ³ćƒ‰ć§ć€Unseal恙悋恓ćØćŒć§ćć¾ć™ć€‚

operator unseal - Command | Vault by HashiCorp

Threshold恌3ćŖ恮恧态3å›žć‚³ćƒžćƒ³ćƒ‰ć‚’å®Ÿč”Œć—ć€ćć‚Œćžć‚Œē•°ćŖ悋Unsealć‚­ćƒ¼ć‚’å…„åŠ›ć™ć‚‹åæ…č¦ćŒć‚ć‚Šć¾ć™ć€‚

### Unsealć‚­ćƒ¼ 1恤ē›®
$ vault operator unseal
Unseal Key (will be hidden): 
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    1/3
Unseal Nonce       76855916-6be6-89b5-ff8c-5d9bbe7dd338
Version            1.9.2
Storage Type       file
HA Enabled         false


### Unsealć‚­ćƒ¼ 2恤ē›®
$ vault operator unseal
Unseal Key (will be hidden): 
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    2/3
Unseal Nonce       76855916-6be6-89b5-ff8c-5d9bbe7dd338
Version            1.9.2
Storage Type       file
HA Enabled         false


### Unsealć‚­ćƒ¼ 3恤ē›®
$ vault operator unseal
Unseal Key (will be hidden): 
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.9.2
Storage Type    file
Cluster Name    vault-cluster-e56ee300
Cluster ID      90e7380d-2ef4-3eb9-f254-f52053fdd042
HA Enabled      false

å®Ÿč”Œć®åŗ¦ć«vault status恮ēµęžœćŒč”Øē¤ŗć•ć‚Œć‚‹ć®ć§ć€Unsealćƒ—ćƒ­ć‚»ć‚¹ćŒé€²ć‚“ć§ć„ćę§˜å­ćŒć‚ć‹ć‚Šć¾ć™ć­ć€‚

3恤ē›®ć®Unsealć‚­ćƒ¼ć‚’å…„åŠ›ć—ćŸå¾ŒćÆ态怌Sealed怍恌false恫ćŖ悊态Unseal恧恍恟恓ćØ恫ćŖć‚Šć¾ć™ć€‚

Vaultć«ć‚¢ć‚Æć‚»ć‚¹ć—ć¦ćæ悋ćØć€ć¾ć ć‚Øćƒ©ćƒ¼ć«ćÆćŖć‚Šć¾ć™ćŒć€ŒVault is sealed怍ćØćÆčØ€ć‚ć‚ŒćŖ恏ćŖć‚Šć¾ć™ć€‚

$ vault secrets list
Error listing secrets engines: Error making API request.

URL: GET http://localhost:8200/v1/sys/mounts
Code: 403. Errors:

* permission denied

恓恮ꬔ恫åæ…要ćŖć®ćŒć€ć€ŒčŖčؼļ¼ˆćƒ­ć‚°ć‚¤ćƒ³ļ¼‰ć€ćØ恄恆恓ćØ恫ćŖć‚Šć¾ć™ć€‚

恔ćŖćæć«ć€å†ć³Seal恙悋恫ćÆvault operator sealćØć„ć†ć‚³ćƒžćƒ³ćƒ‰ć‚’å®Ÿč”Œć™ć‚Œć°ć‚ˆć„ćæ恟恄恧恙恌

operator seal - Command | Vault by HashiCorp

ć“ć‚Œć«ćÆčŖčؼęøˆćæ恧ćŖć‘ć‚Œć°å®Ÿč”Œć§ććŖ恄悈恆恧恙怂

$ vault operator seal
Error sealing: Error making API request.

URL: PUT http://localhost:8200/v1/sys/seal
Code: 403. Errors:

* permission denied
Auto Unseal

恓悌恧Unseal恧恍悋恓ćØćÆē¢ŗčŖć§ćć¾ć—ćŸćŒć€ć“ć®Unsealćƒ—ćƒ­ć‚»ć‚¹ćÆē…©é›‘ć§ć‚‚ć‚ć‚Šć¾ć™ć€‚

Seal/Unseal / Auto Unseal

Vault恧ćÆć€ćƒ¦ćƒ¼ć‚¶ćƒ¼ćŒäæ”é ¼ć™ć‚‹ćƒ‡ćƒć‚¤ć‚¹ć‚„ć‚µćƒ¼ćƒ“ć‚¹ć«Unsealć‚­ćƒ¼ć‚’äæč­·ć™ć‚‹č²¬ä»»ć‚’å§”č­²ć§ćć¾ć™ć€‚ćć®ć‚ˆć†ć«Vaultć‚’ę§‹ęˆć—ć¦ć„ć‚‹å “åˆćÆ态
VaultćÆčµ·å‹•ę™‚ć«åÆ¾č±”ć®ćƒ‡ćƒć‚¤ć‚¹ć¾ćŸćÆć‚µćƒ¼ćƒ“ć‚¹ć«ć‚¢ć‚Æć‚»ć‚¹ć—ć¦ć€ć‚¹ćƒˆćƒ¬ćƒ¼ć‚ø恋悉čŖ­ćæå–ć£ćŸćƒžć‚¹ć‚æćƒ¼ć‚­ćƒ¼ć‚’å¾©å·ć™ć‚‹ć‚ˆć†ć«å‹•ä½œć—ć¾ć™ć€‚

恓悌悒Auto UnsealćØå‘¼ć¶ćæ恟恄恧恙怂

ć“ć®ćƒ—ćƒ­ć‚»ć‚¹ć§åˆ©ē”Øć§ćć‚‹ćƒ‡ćƒć‚¤ć‚¹ć‚„ć‚µćƒ¼ćƒ“ć‚¹ćÆ态恓恔悉恫ćƒŖć‚¹ćƒˆć‚¢ćƒƒćƒ—ć•ć‚Œć¦ć„ć¾ć™ć€‚AWS KMS态Azure Key Vault态GCP Cloud KMSćŖć©ćŒ
利ē”Ø恧恍悋ćæ恟恄恧恙怂

Seals - Configuration | Vault by HashiCorp

恓恮čØ­å®šćŒę§‹ęˆć•ć‚Œć¦ć„ćŖć„å “åˆćÆ态Shamir Sealć‚¢ćƒ«ć‚“ćƒŖć‚ŗ惠恌ä½æ悏悌悋恓ćØćŖć‚Šć¾ć™ć€‚

Shamir Seal恧ćÆVaultć‚’ę“ä½œć™ć‚‹ć®ć«Unsealć‚­ćƒ¼ćŒåæ…要恫ćŖć‚Šć¾ć™ćŒć€Auto Unseal悒ä½æć†å “åˆć«ćÆćƒŖć‚«ćƒćƒŖćƒ¼ć‚­ćƒ¼ćØć„ć†ć€ć¾ćŸåˆ„ć®ć‚­ćƒ¼ćŒ
åæ…要恫ćŖć‚Šć¾ć™ć€‚
恓恮ćƒŖć‚«ćƒćƒŖćƒ¼ć‚­ćƒ¼ćÆ态Auto Unseal悒ä½æć†ć‚ˆć†ć«čØ­å®šć•ć‚ŒćŸVaultć®åˆęœŸåŒ–ę™‚ć«ē”Ÿęˆć•ć‚Œć¾ć™ć€‚

Shamir Seal悒ä½æē”Øć—ćŸå “åˆć«ćÆVaultć®åˆęœŸåŒ–ć§ć‚·ćƒ£ćƒ¼ćƒ‰åŒ–ć•ć‚ŒćŸUnsealć‚­ćƒ¼ćŒē”Ÿęˆć•ć‚Œć¾ć—ćŸćŒć€ć“ć®ä»£ć‚ć‚Šć«ćŖ悋悈恆恧恙怂

今回ćÆ态Auto UnsealćÆę‰±ć„ć¾ć›ć‚“ć€‚

Vault恮čŖčØ¼ć«ć¤ć„ć¦

恧ćÆ态ē¶šć„恦ćÆčŖčØ¼ć®č©±ć«é€²ć‚“ć§ćæć¾ć—ć‚‡ć†ć€‚

Authentication | Vault by HashiCorp

Vault悒ä½æ恆恫ćÆ态čŖčØ¼ć—ć¦ćŠćåæ…č¦ćŒć‚ć‚Šć¾ć™ć€‚čŖčØ¼ć™ć‚‹ćØć€ćƒˆćƒ¼ć‚Æćƒ³ćŒē”Ÿęˆć•ć‚Œć¾ć™ć€‚ć“ć‚ŒćÆWebć‚¢ćƒ—ćƒŖć‚±ćƒ¼ć‚·ćƒ§ćƒ³ć§ć„ć†ć‚»ćƒƒć‚·ćƒ§ćƒ³ID恫
ä¼¼ćŸę¦‚åæµć§ć™ć€‚

ćƒˆćƒ¼ć‚Æćƒ³ć«ćÆ态惝ćƒŖć‚·ćƒ¼ćŒä»˜äøŽć•ć‚Œć¦ć„悋恓ćØ悂恂悋悈恆恧恙怂

Policies | Vault by HashiCorp

ćć—ć¦ć€VaultćÆ複ꕰ恮čŖčØ¼ę–¹ę³•ć‚’ć‚µćƒćƒ¼ćƒˆć—ć¦ć„ć¾ć™ć€‚

Auth Methods | Vault by HashiCorp

čŖčØ¼ę–¹ę³•ć«ćÆć€ćƒ¦ćƒ¼ć‚¶ćƒ¼ļ¼ˆäŗŗļ¼‰ć‚’åÆ¾č±”ćØć—ć¦ć„ć‚‹ć‚‚ć®ć€ćƒžć‚·ćƒ³ć‚’åÆ¾č±”ćØć—ć¦ć„ć‚‹ć‚‚ć®ćŒć‚ć‚‹ć‚ˆć†ć§ć™ć€‚ć¾ćŸć€čŖčØ¼ę–¹ę³•ćÆäŗ‹å‰ć«ęœ‰åŠ¹ć«ć™ć‚‹
åæ…č¦ćŒć‚ć‚Šć¾ć™ć€‚

čŖčØ¼ę–¹ę³•ćÆ态Secrets EnginećØåŒę§˜ć«ćƒ‘ć‚¹ć«åÆ¾ć—ć¦ćƒžćƒƒćƒ”ćƒ³ć‚°ć™ć‚‹ć‚ˆć†ć§ć™ć€‚

čŖčØ¼ę–¹ę³•ć®äø€éƒØ悒čØ˜č¼‰ć—ć¾ć™ć€‚

  • AWSļ¼ˆIAM态EC2ļ¼‰
  • Azure AD
  • GCPļ¼ˆIAM态GCEļ¼‰
  • GitHub Personal Token
  • JWTļ¼OIDC
  • LDAP
  • ćƒˆćƒ¼ć‚Æćƒ³
  • SSLļ¼TLSć‚Æćƒ©ć‚¤ć‚¢ćƒ³ćƒˆčØ¼ę˜Žę›ø
  • ćƒ¦ćƒ¼ć‚¶ćƒ¼åļ¼ćƒ‘ć‚¹ćƒÆćƒ¼ćƒ‰
  • ćŖ恩

ćƒˆćƒ¼ć‚Æćƒ³ćÆ态ēµ„ćæč¾¼ćæ恮čŖčØ¼ę–¹ę³•ć§ć‚ć‚Šć€č‡Ŗå‹•ć§ęœ‰åŠ¹ć«ćŖć£ć¦ć„ć¾ć™ć€‚ć¾ćŸć€čŖčØ¼ę™‚ć«ćÆćƒˆćƒ¼ć‚Æćƒ³ćŒē”Ÿęˆć•ć‚Œć¾ć™ć€‚

čŖčØ¼ć«ćÆćƒŖćƒ¼ć‚¹ćØ恄恆ꦂåæµćŒć‚ć‚Šć€å®šęœŸēš„ć«å†čŖčØ¼ć™ć‚‹åæ…č¦ćŒć‚ć‚‹ć‚ˆć†ć§ć™ć€‚

Authentication / Auth Leases

ćƒˆćƒ¼ć‚Æćƒ³ć«ć¤ć„ć¦

ćƒˆćƒ¼ć‚Æćƒ³ć«é–¢ć™ć‚‹ćƒ‰ć‚­ćƒ„ćƒ”ćƒ³ćƒˆćÆ态恓恔悉恧恙怂

Tokens | Vault by HashiCorp

Vault 1.0恮Ꙃē‚¹ć§ćÆć€ćƒˆćƒ¼ć‚Æćƒ³ćÆć‚µćƒ¼ćƒ“ć‚¹ćƒˆćƒ¼ć‚Æćƒ³ćØćƒćƒƒćƒćƒˆćƒ¼ć‚Æćƒ³ć®2ēØ®é”žćŒå­˜åœØć—ć¾ć™ć€‚

Tokens / Token Types in Detail

ć¾ćŸć€ćƒˆćƒ¼ć‚Æćƒ³ć«ćÆćƒˆćƒ¼ć‚Æćƒ³ć‚¢ć‚Æć‚»ćƒƒć‚µćƒ¼ć‚„

Tokens / Token Accessors

ęœ‰åŠ¹ęœŸé™ć‚’ęŒć¤ć“ćØ恫ę³Øę„ć—ć¦ćć ć•ć„ć€‚

Tokens / Token Time-To-Live, Periodic Tokens, and Explicit Max TTLs

ęœ‰åŠ¹ęœŸé™ćÆćƒ‡ćƒ•ć‚©ćƒ«ćƒˆć§32ę—„ć§ć™ćŒć€ćƒžć‚¦ćƒ³ćƒˆAPI悒ä½æć£ć¦čØ­å®šć—ćŸć‚Šć€ćƒˆćƒ¼ć‚Æćƒ³ć‚’ē™ŗč”Œć™ć‚‹čŖčØ¼ę–¹ę³•ć§ć‚‚čØ­å®šć§ćć¾ć™ć€‚
ęœ‰åŠ¹ęœŸé™ć®ćŖć„ć€å®šęœŸēš„恫ä½æ恆ē”Øé€”ć§ć®ćƒˆćƒ¼ć‚Æćƒ³ć‚‚ć‚ć‚Šć¾ć™ć€‚

ćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³

ćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³ćÆ态root惝ćƒŖć‚·ćƒ¼ćŒä»˜äøŽć•ć‚Œć€ćŖ悓恧悂恧恍悋ęØ©é™ć‚’ęŒć£ćŸćƒˆćƒ¼ć‚Æćƒ³ć§ć™ć€‚ć¾ćŸć€ćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³ć ć‘ćÆ态ꛓꖰ恗ćŖćć¦ć‚‚
ęœ‰åŠ¹ęœŸé™åˆ‡ć‚Œć«ćŖ悉ćŖ恄å”Æäø€ć®ćƒˆćƒ¼ć‚Æćƒ³ć§ć™ć€‚

Tokens / Root Tokens

ćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³ć‚’ä½œęˆć™ć‚‹ć®ćÆå›°é›£ć§ć‚ć‚Šć€ä»„äø‹ćŒćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³ć‚’ä½œęˆć™ć‚‹ę–¹ę³•ć§ć™ć€‚

  • vault operator init恧ē”Ÿęˆć•ć‚Œć‚‹åˆęœŸćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³
  • åˆ„ć®ćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³ć‚’ä½œęˆć™ć‚‹
    • ęœ‰åŠ¹ęœŸé™ć®ć‚ć‚‹ćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³ćÆć€ęœ‰åŠ¹čµ·ęŗć®ćŖć„ćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³ć‚’ä½œęˆć™ć‚‹ć“ćØ恌恧恍ćŖ恄
  • Unsealć™ć‚‹ćŸć‚ć®ć—ćć„å€¤ä»„äøŠć®Unsealć‚­ćƒ¼ć‚’å…„åŠ›ć—ć€vault operator generate-rootć‚’å®Ÿč”Œć™ć‚‹

operator init - Command | Vault by HashiCorp

operator generate-root - Command | Vault by HashiCorp

ęœ€åˆć«vault operator initå®Ÿč”Œå¾Œć«č”Øē¤ŗć•ć‚ŒćŸć®ćÆć€åˆęœŸćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³ćØ恄恆恓ćØ恧恙恭怂

Initial Root Token: s.S2VOE3cCpoQHS4HCFwhF2r2M

当ē„¶ćŖćŒć‚‰ć€ćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³ćÆē‰¹ć«ęœ¬ē•Ŗē’°å¢ƒć§ćÆćØ恦悂ę³Øę„ę·±ćę‰±ć†åæ…č¦ćŒć‚ć‚Šć¾ć™ć€‚

ćƒˆćƒ¼ć‚Æćƒ³ć®éšŽå±¤åŒ–ćØOrphanćƒˆćƒ¼ć‚Æćƒ³

ćƒˆćƒ¼ć‚Æćƒ³ć«ćÆéšŽå±¤ćŒć‚ć‚Šć€ć‚ć‚‹ćƒˆćƒ¼ć‚Æćƒ³ć®ę‰€ęœ‰č€…ćŒåˆ„ć®ćƒˆćƒ¼ć‚Æćƒ³ć‚’ä½œęˆć™ć‚‹ćØć€ćć®ćƒˆćƒ¼ć‚Æćƒ³ćÆ"子"ć®ćƒˆćƒ¼ć‚Æćƒ³ćØć—ć¦ę‰±ć‚ć‚Œć¾ć™ć€‚
ć“ć‚Œć‚‰ć®ćƒˆćƒ¼ć‚Æćƒ³ć«ćÆé–¢é€£ćŒć‚ć‚Šć€č¦Ŗćƒˆćƒ¼ć‚Æćƒ³ćŒå–ć‚Šę¶ˆć•ć‚Œć‚‹ćØćć®å­ćƒˆćƒ¼ć‚Æćƒ³ć‚‚å–ć‚Šę¶ˆć•ć‚Œć¾ć™ć€‚

Tokens / Token Hierarchies and Orphan Tokens

恟恠态ēµ‚äŗ†ęœŸé™ć®ćŖć„ćƒˆćƒ¼ć‚Æćƒ³ćƒ„ćƒŖćƒ¼ć‚’ä½œć£ć¦ć—ć¾ć†ćØć€ćƒ¦ćƒ¼ć‚¶ćƒ¼ćÆå¤±åŠ¹ć‚’å›žéæ恧恍ćŖ恏ćŖć‚Šć¾ć™ć€‚

ć“ć®å‹•ä½œć‚’éæć‘ć‚‹ćŸć‚ć«ć€Orphanćƒˆćƒ¼ć‚Æćƒ³ćØć„ć†ć‚‚ć®ć‚’ä½œć‚‹ć“ćØćŒć§ćć¾ć™ć€‚ć“ć‚ŒćÆ态ē‹¬ē«‹ć—ćŸćƒˆćƒ¼ć‚Æćƒ³ć§ć‚ć‚Šć€ē‹¬č‡Ŗć®ćƒˆćƒ¼ć‚Æćƒ³ćƒ„ćƒŖćƒ¼ć®
ćƒ«ćƒ¼ćƒˆć§ć‚‚ć‚ć‚Šć¾ć™ć€‚

ć‚µćƒ¼ćƒ“ć‚¹ćƒˆćƒ¼ć‚Æćƒ³ćØćƒćƒƒćƒćƒˆćƒ¼ć‚Æćƒ³

ć‚µćƒ¼ćƒ“ć‚¹ćƒˆćƒ¼ć‚Æćƒ³ćØćƒćƒƒćƒćƒˆćƒ¼ć‚Æćƒ³ć®é•ć„ćÆ态仄äø‹ć«ę›øć‹ć‚Œć¦ć„ć¾ć™ć€‚

Tokens / Token Types in Detail

ć‚µćƒ¼ćƒ“ć‚¹ćƒˆćƒ¼ć‚Æćƒ³ćŒé€šåøøć®ćƒˆćƒ¼ć‚Æćƒ³ćØć•ć‚Œć¦ć„ć¦ć€ćƒćƒƒćƒćƒˆćƒ¼ć‚Æćƒ³ćÆć‚µćƒ¼ćƒ“ć‚¹ćƒˆćƒ¼ć‚Æćƒ³ćØęÆ”ć¹ć¦č»½é‡ć§ć‚¹ć‚±ćƒ¼ćƒ©ćƒ–ćƒ«ć§ć™ćŒć€
ć‚µćƒ¼ćƒ“ć‚¹ćƒˆćƒ¼ć‚Æćƒ³ć®ę©Ÿčƒ½ć‚„ęŸ”č»Ÿę€§ćÆć‚µćƒ¼ćƒ“ć‚¹ćƒˆćƒ¼ć‚Æćƒ³ć‚ˆć‚Šć‚‚åŠ£ć‚‹ćØć•ć‚Œć¦ć„ć¾ć™ć€‚

Vaultć«ćƒ­ć‚°ć‚¤ćƒ³ć—ć¦ćæ悋

čŖ¬ę˜Žć‚’ę›øć„ć¦ć„ć¦ć‚‚ć‚ˆćć‚ć‹ć‚‰ćŖ恏ćŖć£ć¦ćć‚‹ć®ć§ć€å®Ÿéš›ć«čŖčؼļ¼ˆćƒ­ć‚°ć‚¤ćƒ³ļ¼‰ć—恦ćæć¾ć—ć‚‡ć†ć€‚

Vaultć«ćƒ­ć‚°ć‚¤ćƒ³ć™ć‚‹ć«ćÆ态vault login悒ä½æć„ć¾ć™ć€‚

$ vault login

ć“ć®ę™‚ć€ćƒˆćƒ¼ć‚Æćƒ³ćŒę±‚ć‚ć‚‰ć‚Œć‚‹ć®ć§ć“ć®ę™‚ē‚¹ć§ćÆćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³ć‚’å…„åŠ›ć—ć¾ć—ćŸć€‚

Token (will be hidden):

å®Ÿč”Œēµęžœć€‚ęœ‰åŠ¹ęœŸé™ćÆē„”限恫ćŖć£ć¦ć„ć¾ć™ć­ć€‚

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                s.S2VOE3cCpoQHS4HCFwhF2r2M
token_accessor       DoRDfHwPjGOCttoIV2wMcojl
token_duration       āˆž
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

ć¾ćŸć€vault loginč‡Ŗä½“ć«ćƒˆćƒ¼ć‚Æćƒ³ć‚’ē›“ęŽ„ęŒ‡å®šć™ć‚‹ć“ćØ悂恧恍悋ćæ恟恄恧恙怂

$ vault login s.S2VOE3cCpoQHS4HCFwhF2r2M

čŖčØ¼ę–¹ę³•ć‚’ę˜Žē¤ŗēš„ć«ęŒ‡å®šć—ć¦ć‚‚OK恧恙怂

$ vault login -method=token
Token (will be hidden):

čŖčØ¼ć«ęˆåŠŸć™ć‚‹ćØ态Vaultć«ć‚¢ć‚Æć‚»ć‚¹ć§ćć‚‹ć‚ˆć†ć«ćŖć‚Šć¾ć™ć€‚

$ vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_9245d6a2    per-token private secret storage
identity/     identity     identity_07b32f9a     identity store
sys/          system       system_effe65a9       system endpoints used for control, policy and debugging
ćƒˆćƒ¼ć‚Æćƒ³ć®ęƒ…å ±ć‚’ē¢ŗčŖć™ć‚‹

ćƒˆćƒ¼ć‚Æćƒ³ć®ęƒ…å ±ć‚’ē¢ŗčŖć™ć‚‹ć«ćÆ态vault token lookup悒ä½æ恈恰悈恕恝恆恧恙怂

token lookup - Command | Vault by HashiCorp

$ vault token lookup s.S2VOE3cCpoQHS4HCFwhF2r2M
Key                 Value
---                 -----
accessor            DoRDfHwPjGOCttoIV2wMcojl
creation_time       1642231861
creation_ttl        0s
display_name        root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.S2VOE3cCpoQHS4HCFwhF2r2M
meta                <nil>
num_uses            0
orphan              true
path                auth/token/root
policies            [root]
ttl                 0s
type                service

ćƒˆćƒ¼ć‚Æćƒ³ć«ć¤ć„ć¦ćÆć¾ć ć¾ć č¦‹ć‚‹ćØć“ć‚ćŒć‚ć‚‹ć®ć§ć™ćŒć€ć“ć‚Œä»„äøŠčæ½ć†ćØēµ‚ć‚ć‚‰ćŖ恏ćŖć‚‹ć®ć§ć€ä»Šå›žćÆć“ć“ć§ę­¢ć‚ć‚ˆć†ćØę€ć„ć¾ć™ć€‚

Vaultć‚’ę“ä½œć™ć‚‹

ćƒ­ć‚°ć‚¤ćƒ³ćŒęøˆć‚“恧恄悋恮ćØć€ćƒ«ćƒ¼ćƒˆćƒˆćƒ¼ć‚Æćƒ³ć‚’ä½æć£ć¦ć„ć‚‹ć®ć§VaultćŒę“ä½œć§ćć‚‹ć‚ˆć†ć«ćŖć£ć¦ć„ć¾ć™ć€‚å°‘ć—č§¦ć£ć¦ćæć¾ć—ć‚‡ć†ć€‚

Keyļ¼Value Secrets Engine v1ć‚’ęœ‰åŠ¹ć«ć—ć¾ć™ć€‚

KV - Secrets Engines | Vault by HashiCorp

$ vault secrets enable -path=kv kv

ćƒ‡ćƒ¼ć‚æ恮äæå­˜ć€‚

$ vault kv put kv/key1 hello=world
Success! Data written to: kv/key1

ćƒ‡ćƒ¼ć‚æć®å–å¾—ć€‚

$ vault kv get kv/key1
==== Data ====
Key      Value
---      -----
hello    world

ć‚¹ćƒˆćƒ¬ćƒ¼ć‚ø恮čØ­å®šćŒć—ć¦ć‚ć‚‹ć®ć§ć€Vaultć‚’å†čµ·å‹•ć—ć¦ć‚‚

$ sudo systemctl restart vault

ćƒ‡ćƒ¼ć‚æćŒę®‹ć£ć¦ć„ć¾ć™ć€‚

$ vault kv get kv/key1
==== Data ====
Key      Value
---      -----
hello    world

ćŸć ć€å†čµ·å‹•ć™ć‚‹ćØSealedćŖēŠ¶ę…‹ć«ęˆ»ć£ć¦ć—ć¾ć†ć®ć§ć€Vaultć‚’ę“ä½œć™ć‚‹å‰ć«å†åŗ¦Unsealć®ćƒ—ćƒ­ć‚»ć‚¹ćØćƒ­ć‚°ć‚¤ćƒ³ćŒåæ…要恫ćŖć‚Šć¾ć™ćŒć€‚

$ vault operator unseal
$ vault operator unseal
$ vault operator unseal
$ vault login

Vault悒Sealed恫恙悋

ęœ€å¾Œć€Vault悒SealedćŖēŠ¶ę…‹ć«ęˆ»ć—恦ćæć¾ć—ć‚‡ć†ć€‚ćØć„ć£ć¦ć‚‚ć€å…ˆć»ć©å†čµ·å‹•ć—ćŸę™‚ć«1åŗ¦Sealedć«ęˆ»ć£ć¦ć„ć‚‹ć®ć§ć™ćŒć€‚

ć‚³ćƒžćƒ³ćƒ‰ć§Sealed恫恙悋恫ćÆ态vault operator seal悒ä½æć„ć¾ć™ć€‚

operator seal - Command | Vault by HashiCorp

$ vault operator seal
Success! Vault is sealed

恓悌恧态Vaultć®ę©Ÿčƒ½ćŒä½æ恈ćŖ恏ćŖć‚Šć¾ć—ćŸć€‚

$ vault secrets list
Error listing secrets engines: Error making API request.

URL: GET http://localhost:8200/v1/sys/mounts
Code: 503. Errors:

* Vault is sealed

ćƒ­ć‚°ć‚¤ćƒ³ć‚‚ć§ććŖ恏ćŖć‚Šć¾ć™ć€‚

$ vault login
Token (will be hidden): 
Error authenticating: error looking up token: Error making API request.

URL: GET http://localhost:8200/v1/auth/token/lookup-self
Code: 503. Errors:

* Vault is sealed

ć‚¹ćƒ†ćƒ¼ć‚æć‚¹ć ć‘ćÆč¦‹ćˆć¾ć™ć­ć€‚

$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    0/3
Unseal Nonce       n/a
Version            1.9.2
Storage Type       file
HA Enabled         false

ć“ć“ć‹ć‚‰å†åŗ¦ę“ä½œć§ćć‚‹ć‚ˆć†ć«ć™ć‚‹ćŸć‚ć«ćÆ态vault operator unseal恧Unsealćƒ—ćƒ­ć‚»ć‚¹ć‚’č”Œć†ć“ćØ恫ćŖć‚Šć¾ć™ć€‚

ć¾ćØ悁

今回ćÆ态äø»ć«Vault恮Sealļ¼Unseal恫恤恄恦ē¢ŗčŖć—恦ćæć¾ć—ćŸć€‚

ćƒˆćƒ¼ć‚Æćƒ³ć«ć¾ć§čøćæč¾¼ć‚‚ć†ćØę€ć£ćŸć®ć§ć™ćŒć€ęƒ…å ±é‡ćŒå¤šćć†ć§ēµ‚ć‚ć‚‰ćŖ恏ćŖć‚Šćć†ć ć£ćŸć®ć§ć€ä»Šå›žćÆåŒŗåˆ‡ć‚Šć¾ć—ćŸć€‚
恓恔悉恫恤恄恦ćÆć€ć¾ćŸę™‚é–“ć‚’ē½®ć„恦恋悉怂

Sealļ¼Unseal恫恤恄恦ćÆ态Tutorialć‚’č¦‹ć¦ć„ć¦ć€Œć©ć†ć„ć†ć“ćØ恠悍恆ļ¼Ÿć€ćØę€ć£ć¦ć„ćŸć®ć§ć€ćć‚ŒćŖ悊恫Ꙃ間悒恋恑恦見恦ćæ恦č‰Æć‹ć£ćŸć‹ćŖćØ
ę€ć„ć¾ć™ć€‚