部署与简单使用
- 找到valut的docker hub地址:https://hub.docker.com/r/hashicorp/vault
- docker直接运行vault
docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "7200h", "ui": true}' -p 8200:8200 --restart=always hashicorp/vault server
"storage": {"file": {"path": "/vault/file"}
文件存储位置在容器内部的/vault/file
目录"address": "0.0.0.0:8200"
监听地址:8200"tls_disable": true
代表关闭TLS证书"default_lease_ttl": "168h"
代表默认过期时间168小时,即7天。"max_lease_ttl": "7200h"
最大过期时间为300天"ui": true
开启UI功能- docker-compose 部署vault(推荐), 参考项目使用 Docker 和 Traefik 搭建 Vault,如果提示端口被占用,请更换其它端口,我这边是8200端口被占用了,所以我换成了8300。
services:
vault:
image: hashicorp/vault
volumes:
- ./config:/vault/config:rw
- ./file:/vault/file:rw
- ./logs:/vault/logs
cap_add:
- IPC_LOCK
environment:
VAULT_LOCAL_CONFIG: '{"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8300", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "7200h", "ui": true}'
restart: always
ports:
- 8300:8300
- 查看容器日志,可以看到初始化成功,并且给出了root token,请记住这个root_token,待会登录需要用到。
$ docker-compose -f
vault-1 | WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
vault-1 | and starts unsealed with a single unseal key. The root token is already
vault-1 | authenticated to the CLI, so you can immediately begin using Vault.
vault-1 |
vault-1 | You may need to set the following environment variables:
vault-1 |
vault-1 | $ export VAULT_ADDR='http://0.0.0.0:8200'
vault-1 |
vault-1 | The unseal key and root token are displayed below in case you want to
vault-1 | seal/unseal the Vault or re-authenticate.
vault-1 |
vault-1 | Unseal Key: xxxxxxxxxxxxxxxxxxxxxxx
vault-1 | Root Token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
vault-1 |
vault-1 | Development mode should NOT be used in production installations!
- 打开
http://[你的ip]:8300/ui
这个链接,粘入root_token,登录UI系统。默认可以看到两个密码仓库,一个cubbyhole
,一个secret
。


- 我们再cubyyhole里面新增一些新字段,假设我们要存一个数据库配置信息,那么我们可以添加4个字段
host
、port
、user
、password
,以及填上其对应的value,然后path路径我们可以随便命名,但是不能重复,这里我命名为/dev_db


- 让我来请求一下,获取刚刚填入的信息。
curl --header "X-Vault-Token: [你的root_token]" \
http://[你的ip]:8300/v1/cubbyhole/dev_db
{"request_id":"d5f580db-0198-1db7-ae0b-f9d93c2784f7","lease_id":"","renewable":false,"lease_duration":0,"data":{"host":"xxxxxxxxxxxx","password":"xxxxxxxxxxx","port":"3306","user":"root"},"wrap_info":null,"warnings":null,"auth":null,"mount_type":"cubbyhole"}
使用kv v2引擎
- 不论是使用默认的 cubbyhole 储存仓库、还是使用最常见的 kv 储存仓库,默认数据是没有版本控制的,换言之,一旦出现错误的更新或者删除,原始数据遭到了复写,问题是不可逆的。
- 所以 Vault 还提供了 名为 KV v2 的储存仓库,在这个模式之下,数据储存是有版本控制功能的,但是使用起来稍稍麻烦一些,接口文档也不是很清晰,所以这里单独聊一下,如何使用 v2 版本的 KV 进行数据储存。
- 在默认UI界面,还有一个
secret
仓库,点进去看看,再点击Configuration
,就可可以看到它默认就是KV v2储存仓库


- 点回去secret,和之前一样,创建一个
/dev_db
的数据库连接配置信息。 - 创建好后,可以点击
Secret
预览你创建的信息。默认的Overview
可以看到当前Version
为1,没有编辑按钮,只能Creat New
,即创建新版本。


- 根据上面的API path,我们可以先试试获取数据
curl --header "X-Vault-Token: [你的root_token]" \
http://[你的ip]:8300/v1/secret/data/dev_db
{"request_id":"4c22b29d-0f4f-b706-77e4-35ced0f0b8f9","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"host":"xxxxxxxx","password":"xxxxxxxx","port":"3306","user":"root"},"metadata":{"created_time":"2025-03-24T04:59:33.046221783Z","custom_metadata":null,"deletion_time":"","destroyed":false,"version":1}},"wrap_info":null,"warnings":null,"auth":null,"mount_type":"kv"}
- 假设我们需要修改数据库连接信息,那么我们可以尝试新增一个version的dev_db。点击
Creat new
,比如上面我们的port对应的结果是3306字符串,我们需要改成数字,那么我们可以勾选一下Json
安装以及Show diff
按钮,然后点击save
保存接口。


- 我们再获取一次结果。
curl --header "X-Vault-Token: [你的root_token]" \
http://[你的ip]:8300/v1/secret/data/dev_db
{"request_id":"f9a8c534-e263-462d-fb40-2b36ebf76fd7","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"host":"xxxxxxxx","password":"xxxxxx","port":3306,"user":"root"},"metadata":{"created_time":"2025-03-24T06:33:24.444266346Z","custom_metadata":null,"deletion_time":"","destroyed":false,"version":2}},"wrap_info":null,"warnings":null,"auth":null,"mount_type":"kv"}
- 我们可以进入ui界面,看看Secret,可以选择
Version
切换不同版本。


- 如果我们要用api来查看version1,我们可以加上一个查询参数
version=1
curl --header "X-Vault-Token: [你的root_token]" \
http://[你的ip]:8300/v1/secret/data/dev_db?version=1
- 输出结果,可以看到正是version 1的内容,即端口是字符串而不是数字。
{"request_id":"3915eb3c-0ac2-2092-0c27-127987c4d562","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"host":"xxxx","password":"xxxx","port":"3306","user":"root"},"metadata":{"created_time":"2025-03-24T04:59:33.046221783Z","custom_metadata":null,"deletion_time":"","destroyed":false,"version":1}},"wrap_info":null,"warnings":null,"auth":null,"mount_type":"kv"}
- 基本使用方法就到这里结束了(注意,上述部署只适合局域网部署,生产环境建议配置TLS证书)。
python sdk调用vault
- 项目地址:https://github.com/hvac/hvac,文档地址:https://python-hvac.org/en/stable/overview.html
- 安装模块
pip install "hvac[parser]"
- 运行python 代码,实现和我们上面一样的读取kv v2的当前version以及version=1的结果。
import hvac
client = hvac.Client(
url='http://[host]:8300',
token="[your root_token]"
)
is_authenticated = client.is_authenticated()
assert is_authenticated, print(is_authenticated)
# read secret data use kv with v2, like url http://[ip]:[port]/secret/dev_db
read_response = client.secrets.kv.read_secret_version(
path='/dev_db',
raise_on_deleted_version=False # to reduce warning
)
print(read_response)
# read secret data, use version 1
read_response_v1 = client.secrets.kv.read_secret_version(
path='/dev_db',
raise_on_deleted_version=False, # to reduce warning
version=1
)
print(read_response_v1)
{'request_id': 'eb0c4fbf-890f-d317-522c-dfb82509bf61', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'data': {'host': 'xxxxxxxxxx', 'password': 'xxxxxx', 'port': 3306, 'user': 'root'}, 'metadata': {'created_time': '2025-03-24T06:33:24.444266346Z', 'custom_metadata': None, 'deletion_time': '', 'destroyed': False, 'version': 2}}, 'wrap_info': None, 'warnings': None, 'auth': None, 'mount_type': 'kv'}
{'request_id': '6f9e67ea-9acd-6042-0acf-958da32f3412', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': {'data': {'host': 'xxxxxx', 'password': 'xxxxxx', 'port': '3306', 'user': 'root'}, 'metadata': {'created_time': '2025-03-24T04:59:33.046221783Z', 'custom_metadata': None, 'deletion_time': '', 'destroyed': False, 'version': 1}}, 'wrap_info': None, 'warnings': None, 'auth': None, 'mount_type': 'kv'}