vault-动态生成mysql账号密码

一、说明：

mysql插件有：以官网意思只是对user，password等长度要求不同

mysql-database-plugin
mysql-aurora-database-plugin
mysql-rds-database-plugin
mysql-legacy-database-plugin

二、部署流程

1.启动实例：

docker run --name mysql -v /data/mysql:/var/lib/mysql -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 -d mysql:latest

数据库使用

 

2.激活数据库功能

vault secrets enable database

 

3.写入数据库连接配置

vault write database/config/my-mysql-database \

plugin_name=mysql-database-plugin \

connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \

allowed_roles="my-role" \

username="root" \

password="123456"

 

4.创建随机用户的base64值获取：

echo -n "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%';" | base64

 Q1JFQVRFIFVTRVIgJ3t7bmFtZX19J0AnJScgSURFTlRJRklFRCBCWSAne3twYXNzd29yZH19JzsgR1JBTlQgU0VMRUNUIE9OICouKiBUTyAne3tuYW1lfX0nQCclJzs=

 

5.role配置

vault write database/roles/my-role db_name=my-mysql-database

creation_statements="Q1JFQVRFIFVTRVIgJ3t7bmFtZX19J0AnJScgSURFTlRJRklFRCBCWSAne3twYXNzd29yZH19JzsgR1JBTlQgU0VMRUNUIE9OICouKiBUTyAne3tuYW1lfX0nQCclJzs=" default_ttl="1h" max_ttl="2h"

Success! Data written to: database/roles/my-role

 

6.read获取账号密码凭证

[root@test132 ~]# vault read database/creds/my-role

Key Value

--- -----

lease_id database/creds/my-role/HjpLVqzbvKBK59WPmNdFS1qP

lease_duration 1h

lease_renewable true

password s3fixHVVHNqrA-cdXO5Q

username v-root-my-role-xrGlzStUOEpfy3fhu

7.测试登录

 

 

二、创建token，有权限生成、获取账号密码

1.创建policy

vault policy write mysql-clients -<<EOF
path "database/creds/my-role" {
capabilities = [ "read", "update"]
}

# Recommended: List all dynamic and static roles
path "database/roles" {
capabilities = [ "list" ]
}

path "database/static-roles" {
capabilities = [ "list" ]
}
EOF

2.创建token

vault token create -policy=mysql-clients -ttl=8h

 

 

3.网页登录

 

 4.获取新生成的账号密码，一定要马上复制保留。后面无法查看只能生成新的

 

 

 

 

 

注：登录mysql报错：

@test132 ~]# mysql -h 127.0.0.1 -P 3306 -uroot -p123456

ERROR 2059 (HY000): Authentication plugin 'caching_sha2_password' cannot be loaded: /usr/lib64/mysql/plugin/caching_sha2_password.so: cannot open shared object file: No such file or directory

解决：

ALTER USER 'root'@'%' IDENTIFIED BY '123456' PASSWORD EXPIRE NEVER;

ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password BY '123456';

FLUSH PRIVILEGES;

 

 

其他操作：

查看所有

vault list sys/leases/lookup/database/creds/my-role

LEASE_ID=$(vault list -format=json sys/leases/lookup/database/creds/my-role | jq -r ".[0]")

续订：

vault lease renew database/creds/my-role/$LEASE_ID

撤销租约：

vault lease revoke database/creds/my-role/$LEASE_ID

列出现有租约：

vault list sys/leases/lookup/database/creds/my-role

撤销租约而不等待其到期

vault lease revoke database/creds/my-role/HjpLVqzbvKBK59WPmNdFS1qP

参考官网：MySQL/MariaDB - Database - Secrets Engines | Vault by HashiCorp (vaultproject.io)