我想使用Vault为PostgreSQL数据库生成动态凭证。我执行了此处给出的步骤:https://www.vaultproject.io/docs/secrets/databases/postgresql.html。平台版本如下:
执行平台:CentOS Linux 7.3。 版本:Vault v1.1.2('0082501623c0b704b87b1fbc84c2d725994bac54')。 PostgreSQL版本:10.6托管在AWS RDS中。
以命令“ vault server -dev”以开发模式启动Vault服务器。
确认我能够使用以下命令使用psql连接到PostgreSQL数据库:“ psql -h my-rds-end-point.rds.amazonaws.com -p 5432 -d alerts -U master” / p>
使用命令:“ vault secrets enable database”启用了数据库秘密引擎。
使用以下命令创建数据库连接配置: A.使用用户名和密码分别在connection_url和
[root@vault-server ~]# vault write database/config/my-postgresql-database \
> plugin_name=postgresql-database-plugin \
> allowed_roles="my-role" \
> connection_url="postgresql://master:pg_master_password@my-rds-endpoint.rds.amazonaws.com:5432/alerts" \
> username="master" \
> password="pg_master_password"
WARNING! The following warnings were returned from Vault:
* Password found in connection_url, use a templated url to enable root
rotation and prevent read access to password information.
B。使用用户名,仅在connection_url中输入密码,而不是单独输入。
[root@vault-server ~]# vault write database/config/my-postgresql-database \
> plugin_name=postgresql-database-plugin \
> allowed_roles="my-role" \
> connection_url="postgresql://master:pg_master_password@my-rds-end-point.rds.amazonaws.com:5432/alerts"
WARNING! The following warnings were returned from Vault:
* Password found in connection_url, use a templated url to enable root rotation and prevent read access to password information.
C。使用用户名,密码已从connection_url中删除,但需要分别提供。
[root@vault-server ~]# vault write database/config/my-postgresql-database \
> plugin_name=postgresql-database-plugin \
> allowed_roles="my-role" \
> connection_url="postgresql://my-rds-end-point.rds.amazonaws.com:5432/alerts" \
> username="master" \
> password="pg_master_password"
Error writing data to database/config/my-postgresql-database: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/database/config/my-postgresql-database
Code: 400. Errors:
* error creating database object: error verifying connection: pq: password authentication failed for user "root"
vault write database/roles/my-role \
db_name=my-postgresql-database \
creation_statements="CREATE ROLE \"vault_role\" WITH LOGIN PASSWORD 'vault_role_password' VALID UNTIL '2019-06-30'; \
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"vault_role\";" \
default_ttl="1h" \
max_ttl="24h"
[root@vault-server ~]# vault read database/creds/my-role
Key Value
--- -----
lease_id database/creds/my-role/WNdcEQ0YYZODGWzYxikRNztl
lease_duration 1h
lease_renewable true
password A1a-T19Eh8eKKGOZCLQt
username v-root-my-role-qWqOv4j34Sa3rQ3g35nJ-1559024979
观察
:1)当我尝试使用以下命令连接到数据库时,它失败了。尽管Vault创建了一个名为“ v-root-my-role-qWqOv4j34Sa3rQ3g35nJ-1559024979”的用户。但是,当我以PostgreSQL的主用户(超级用户)身份登录时执行“ \ du”时,在用户列表中找不到该用户。
[root@vault-server ~]# psql -h my-rds-end-point.rds.amazonaws.com -p 5432 -d alerts -U v-root-my-role-qWqOv4j34Sa3rQ3g35nJ-1559024979
Password for user v-root-my-role-qWqOv4j34Sa3rQ3g35nJ-1559024979:
psql: FATAL: password authentication failed for user "v-root-my-role-qWqOv4j34Sa3rQ3g35nJ-1559024979"
FATAL: password authentication failed for user "v-root-my-role-qWqOv4j34Sa3rQ3g35nJ-1559024979"
问题:我在这里想念什么?如何获得一套有效的凭据(用户名/密码)?保险柜是否真的创建了我可以使用“ \ du” psql命令看到的用户/角色?
2)当我尝试使用以下命令获取另一组凭据时,它失败了。
[root@vault-server ~]# vault read database/creds/my-role
Error reading database/creds/my-role: Error making API request.
URL: GET http://127.0.0.1:8200/v1/database/creds/my-role
Code: 500. Errors:
* 1 error occurred:
* pq: role "vault_role" already exists
问题:我在这里想念什么?如何获取多个凭据?
3)步骤4A,4B发出警告,而4C导致错误。上面第4步中提到的创建数据库连接配置的正确方法是什么?
我搜索了文档,帮助,Internet,论坛等,但是找不到解决此用例的方法。
有人可以指导我如何配置保管库,使其能够生成动态凭据以作为特定角色连接到PostgreSQL吗?
亲切的问候, 沙什
答案 0 :(得分:0)
通过遵循此线程中讨论的建议,解决了该问题:https://groups.google.com/forum/#!msg/vault-tool/SaEIFGoWmHg/KWIgXczDBAAJ。
结论:必须保留参考文档(https://www.vaultproject.io/docs/secrets/databases/postgresql.html)中“ {{}}”中提到的字段,因为该字段即不会更新为实际值。