secrets kv-v1 in vault
#Enable Key/value version 1 as secret engine
$ vault secrets enable -path="kv-v1" kv
#Put the key for google owned by engineering team this is an example to understand better for path
$ vault kv put kv-v1/<PATH> <KEY>=VALUE>
$ vault kv put kv-v1/eng/apikey/google key=<KEY_TO_PUT>
$ vault kv put kv-v1/<OWNER>/apikey/<APP>
#Read the Value from the above key
$ vault kv get kv-v1/eng/apikey/google
$ vault read kv-v1/eng/apikey/google
#Path Convention for storing the certificate
# kv-v1/<ENVIRONMENT>/cert/<SYSTEM>
$ vault kv put kv-v1/prod/cert/mysql [email protected]
$ vault policy write apps - << EOF
# Read-only permit
path "kv-v1/eng/apikey/Google" {
capabilities = [ "read" ]
}
# Read-only permit
path "kv-v1/prod/cert/mysql" {
capabilities = [ "read" ]
}
EOF
#Create a new token and use that to check the contents of that
$ vault create token -policy=apps -period=24h
$ VAULT_TOKEN=<TOKEN_FROM_ABOVE> vault kv get -field=key kv-v1/eng/apikey/google
$ VAULT_TOKEN=<TOKEN> vault kv get -field=cert kv-v1/prod/cert/mysql
#To hide the key output in the CLI and not visible in history use below
#Option 1: Use a dash "-"
#An easy technique is to use a dash "-" and then press Enter. This allows you to enter the secret on a new line. After entering the secret, press Ctrl+d to end the pipe which will write the secret to the Vault.
$ vault kv get kv-v1/eng/apikey/google key=-
#Option 2: Read the secret from a file
$ vault kv put kv-v1/eng/apikey/google @apikey.txt
#Option 3: Disable all vault command history
$ export HISTIGNORE="&:vault*"
#How do I save multiple values at once?
$ vault kv put kv-v1/dev/config/mongodb url=foo.example.com:35533 \
db_name=users \
username=admin password=passw0rd