vault-動態生成mysql賬號密碼

一、說明：

mysql插件有：以官網意思只是對user，password等長度要求不同

mysql-database-plugin
mysql-aurora-database-plugin
mysql-rds-database-plugin
mysql-legacy-database-plugin

二、部署流程

1.啟動實例：

docker run --name mysql -v /data/mysql:/var/lib/mysql -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 -d mysql:latest

數據庫使用

 

2.激活數據庫功能

vault secrets enable database

 

3.寫入數據庫連接配置

vault write database/config/my-mysql-database \

plugin_name=mysql-database-plugin \

connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \

allowed_roles="my-role" \

username="root" \

password="123456"

 

4.創建隨機用戶的base64值獲取：

echo -n "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%';" | base64

 Q1JFQVRFIFVTRVIgJ3t7bmFtZX19J0AnJScgSURFTlRJRklFRCBCWSAne3twYXNzd29yZH19JzsgR1JBTlQgU0VMRUNUIE9OICouKiBUTyAne3tuYW1lfX0nQCclJzs=

 

5.role配置

vault write database/roles/my-role db_name=my-mysql-database

creation_statements="Q1JFQVRFIFVTRVIgJ3t7bmFtZX19J0AnJScgSURFTlRJRklFRCBCWSAne3twYXNzd29yZH19JzsgR1JBTlQgU0VMRUNUIE9OICouKiBUTyAne3tuYW1lfX0nQCclJzs=" default_ttl="1h" max_ttl="2h"

Success! Data written to: database/roles/my-role

 

6.read獲取賬號密碼憑證

[root@test132 ~]# vault read database/creds/my-role

Key Value

--- -----

lease_id database/creds/my-role/HjpLVqzbvKBK59WPmNdFS1qP

lease_duration 1h

lease_renewable true

password s3fixHVVHNqrA-cdXO5Q

username v-root-my-role-xrGlzStUOEpfy3fhu

7.測試登錄

 

 

二、創建token，有權限生成、獲取賬號密碼

1.創建policy

vault policy write mysql-clients -<<EOF
path "database/creds/my-role" {
capabilities = [ "read", "update"]
}

# Recommended: List all dynamic and static roles
path "database/roles" {
capabilities = [ "list" ]
}

path "database/static-roles" {
capabilities = [ "list" ]
}
EOF

2.創建token

vault token create -policy=mysql-clients -ttl=8h

 

 

3.網頁登錄

 

 4.獲取新生成的賬號密碼，一定要馬上復制保留。后面無法查看只能生成新的

 

 

 

 

 

注：登錄mysql報錯：

@test132 ~]# mysql -h 127.0.0.1 -P 3306 -uroot -p123456

ERROR 2059 (HY000): Authentication plugin 'caching_sha2_password' cannot be loaded: /usr/lib64/mysql/plugin/caching_sha2_password.so: cannot open shared object file: No such file or directory

解決：

ALTER USER 'root'@'%' IDENTIFIED BY '123456' PASSWORD EXPIRE NEVER;

ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password BY '123456';

FLUSH PRIVILEGES;

 

 

其他操作：

查看所有

vault list sys/leases/lookup/database/creds/my-role

LEASE_ID=$(vault list -format=json sys/leases/lookup/database/creds/my-role | jq -r ".[0]")

續訂：

vault lease renew database/creds/my-role/$LEASE_ID

撤銷租約：

vault lease revoke database/creds/my-role/$LEASE_ID

列出現有租約：

vault list sys/leases/lookup/database/creds/my-role

撤銷租約而不等待其到期

vault lease revoke database/creds/my-role/HjpLVqzbvKBK59WPmNdFS1qP

參考官網： MySQL/MariaDB - Database - Secrets Engines | Vault by HashiCorp (vaultproject.io)