Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Vault Configuration with PostgreSQL DB

To configure vault with storage as “PostgreSQL ” and search engine as “database” do the following configuration.

  • Create new Database in vault name as “insightsvault” in PostgreSQL

  • Add following date table inside new database 

CREATE TABLE vault_kv_store (
  parent_path TEXT COLLATE "C" NOT NULL,
  path        TEXT COLLATE "C",
  key         TEXT COLLATE "C",
  value       BYTEA,
  CONSTRAINT pkey PRIMARY KEY (path, key)
);

CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);

CREATE TABLE vault_ha_locks (
  ha_key                                      TEXT COLLATE "C" NOT NULL,
  ha_identity                                 TEXT COLLATE "C" NOT NULL,
  ha_value                                    TEXT COLLATE "C",
  valid_until                                 TIMESTAMP WITH TIME ZONE NOT NULL,
  CONSTRAINT ha_key PRIMARY KEY (ha_key)
);

  • Create new vault_config.hcl add following configuration in it 

storage "postgresql" {
	connection_url = "postgresql://grafana:grafana@localhost:5432/insightsvault?sslmode=disable"
}

ui = true
log_level="trace"
plugin_directory="C:\\Insights\\vault_1.5.5_windows_amd64\\plugins"
listener "tcp" {
  address     = "10.10.90.42:8200"
  tls_disable = 1
}
api_addr = "http://127.0.0.1:8200"
cluster_addr = "http://10.10.90.42:8201"
raw_storage_endpoint=true
vault plugin register -sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 auth postgresql-database-plugin

  • Enable database Secrets Engine plugins:

vault secrets enable database

  • Default path is “database” If you want to change path then run following command 

vault secrets enable  -path=client1/database

  • Configure Vault with the proper plugin and connection information

vault write database/config/insightsvault plugin_name=postgresql-database-plugin allowed_roles="*" connection_url="postgresql://{{username}}:{{password}}@localhost:5432?sslmode=disable" username="grafana" password="grafana"

  • Configure a role that maps a name in Vault to an SQL statement to execute to create the database credential

vault write database/roles/insightsvaultrole  db_name=insightsvault creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';  GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" default_ttl="1h"  max_ttl="24h"

make sure that your db_name and database/config/<name> will be same

  • Call following POST API store data

http://<host>:<port>/v1/sys/raw/<secret Engine from server config>/<clientId>/ serverConfig

Ex:

http://10.10.90.42:8200/v1/sys/raw/database/local/serverConfig

This API need two header X-Vault-Token and host, X-Vault-Token is root token

  • Call following GET API to fetch data from vault

http://<host>:<port>/v1/sys/raw/<secret Engine from server config>/<clientId>/ serverConfig

Ex:

http://10.10.90.42:8200/v1/sys/raw/database/local/serverConfig

This API need two header X-Vault-Token and host, X-Vault-Token is root token

  • Create new user name and password to login to vault API rather than using root token

  • Unsealed vault and check storage Engine

  • No labels

©2021 Cognizant, all rights reserved. US Patent 10,410,152