Enabling encryption with the token authentication using HashiCorp Vault(manual part)
Configure token settings in vault server.
Procedure
-
Enable the Key/Value (KV) backend path in Vault. Run the following command for Vault KV secret
engine API, version 2, as it supports only version 2.
vault secrets enable -path=odf kv-v2
This is a one time settings. You can get the token from vault administrator directly, or you can login vault server and create a token with following steps. Use an unique path name as the backend path that follows the naming convention. You cannot change it later.Note: The example uses backend path odf. - Create a policy with certain permission on the secret using the following commands.
echo ' path "odf/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "sys/mounts" { capabilities = ["read"] }'| vault policy write odf -
- Create a token matching the policy.
vault token create -policy=odf -format json
Example output:
Take a note for the
auth.client_token
# vault token create -policy=odf -format json { "request_id": "e7103f23-c67c-2412-77b0-b92a728fd5fd", "lease_id": "", "lease_duration": 0, "renewable": false, "data": null, "warnings": null, "auth": { "client_token": "hvs.CAESILkFSEnBgMgE0JxdbnBf_VUPxlvhCPTBBdx30jlbMfiMGh4KHGh2cy5QeFZVWnhOWGMxdlhvSU5YU0tNRjBBVGo", "accessor": "IFNbUOwWAzg5cyiUZGVlvf5o", "policies": [ "default", "odf" ], "token_policies": [ "default", "odf" ], "identity_policies": null, "metadata": null, "orphan": false, "entity_id": "", "lease_duration": 2764800, "renewable": true, "mfa_requirement": null } }