stklcode/jvaultconnector
stklcode/jvaultconnector
1
0
Fork 0
Code Issues Actions Releases 33 Wiki Activity

Usage examples for secret handling

Stefan Kalscheuer 2019-03-23 11:05:21 +01:00
parent 3a2de69e89
commit 6fbf14e8a3
4 changed files with 83 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
Home.md

@ -12,8 +12,8 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject
* Authorization methods
* Token
* Username/Password
* AppID (register and authenticate) [_deprecated_]
* AppRole (register and authenticate)
* AppID (register and authenticate) [_deprecated_]
* Tokens
* Creation and lookup of tokens
* TokenBuilder for speaking creation of complex configuraitons
@ -28,89 +28,6 @@ Java Vault Connector is a connector library for [Vault](https://www.vaultproject
* Connector Factory with builder pattern
* Tested against Vault 1.1.0
## Maven Artifact
```xml
<dependency>
<groupId>de.stklcode.jvault</groupId>
<artifactId>connector</artifactId>
<version>0.7.1</version>
</dependency>
```
## Usage Examples
### Initialization
```java
// Instantiate using builder pattern style factory (TLS enabled by default)
VaultConnector vault = VaultConnectorFactory.httpFactory()
.withHost("127.0.0.1")
.withPort(8200)
.withTLS()
.build();
// Instantiate with custom SSL context
VaultConnector vault = VaultConnectorFactory.httpFactory()
.withHost("example.com")
.withPort(8200)
.withTrustedCA(Paths.get("/path/to/CA.pem"))
.build();
// Initialization from environment variables
VaultConnector vault = VaultConnectorFactory.httpFactory()
.fromEnv()
.build();
```
### Authentication
```java
// Authenticate with token.
vault.authToken("01234567-89ab-cdef-0123-456789abcdef");
// Authenticate with username and password.
vault.authUserPass("username", "p4ssw0rd");
// Authenticate with AppRole (secret - 2nd argument - is optional).
vault.authAppId("01234567-89ab-cdef-0123-456789abcdef", "fedcba98-7654-3210-fedc-ba9876543210");
```
### Secret read & write
```java
// Retrieve secret (prefix "secret/" assumed, use read() to read arbitrary paths)
String secret = vault.readSecret("some/secret/key").getValue();
// Complex secret.
Map<String, Object> secretData = vault.readSecret("another/secret/key").getData();
// Write simple secret.
vault.writeSecret("new/secret/key", "secret value");
// Write complex data to arbitraty path.
Map<String, Object> map = [...]
vault.write("any/path/to/write", map);
// Delete secret.
vault.delete("any/path/to/write");
```
### Token and role creation
```java
// Create token using TokenBuilder
Token token = new TokenBuilder().withId("token id")
.withDisplayName("new test token")
.withPolicies("pol1", "pol2")
.build();
vault.createToken(token);
// Create AppRole credentials
vault.createAppRole("testrole", policyList);
AppRoleSecretResponse secret = vault.createAppRoleSecret("testrole");
```
## Links
[Project Page](http://jvault.stklcode.de)

80
Usage-Secrets.md Normal file

@ -0,0 +1,80 @@
# Java Vault Connector
## Usage Examples
### Secrets
The connector supports reading and writing of secrets to any exposed location inside Vault.
Several common features have been abstracted to reduce overhead code.
#### Basic read and write operations
```java
VaultConnector connector = ...;
// Read arbitrary location.
SecretResponse secret = connector.read("secret/to/read");
// Get attribute from secret.
Object value = secret.get("value");
// Parse attribute (JSON) into custom class.
MyClass customValue = secret.get("custom_value", MyClass.class);
// Write data to Vault.
Map<String, Object> data = new HashMap<>();
data.put("attr1", "value1");
data.put("attr2", 42);
connector.write("secret/to/write", data);
// Delete a secret-
connector.deleteSecret("secret/to/delete");
```
#### Read and write to default _secret/_ mount
```java
// Read from "secret/to/read".
SecretResponse secret = connector.readSecret("to/read");
// Write to "secret/to/write".
connector.writeSecret("to/write", data);
// Delete a secret "secret/to/delete.
connector.deleteSecret("to/delete");
```
#### Read and write data/metadata with KV v2 backend
```java
// Read current data version, expands to "mount/data/to/read".
SecretResponse secret = connector.readSecretData("mount", "to/read");
// Read a specific version of this secret.
secret = connector.readSecretVersion("mount", "to/read", 5);
// Read metadata, expands to "mount/metadata/to/read".
MetadataResponse meta = connector.readSecretMetadata("mount", "to/read");
// Write a KV v2 secret, expands to "mount/data/to/write".
SecretVersionResponse newVersion = connector.writeSecretData("mount", "to/write", data);
// Write to KV v2 with Check-And-Set for specific version.
newVersion = connector.writeSecretData("mount", "to/write", data, 3);
// Update metadata to maximum Versions 10 and enforce CAS.
connector.updateSecretMetadata("mount", "to/write", 10, true);
// Delete specifc secret version(s). undelete...() and destroy...() also available.
connector.deleteSecretVersions("mount", "to/delete", 1, 2, 4);
```
#### Read database credentials.
```java
// For arbitrary mount point.
CredentialsResponse cred = connector.readDbCredentials("role", "mount");
String username = cred.getUsername();
String password = cred.getPassword();
// Convenience for default MySQL, PostgreSQL and MongoDB backends.
cred = connector.readMySqlCredentials("role");
cred = connector.readPostgreSqlCredentials("role");
cred = connector.readMongoDbCredentials("role");
```

1
Usage.md

@ -11,3 +11,4 @@ For a complete guide refer to the API docs.
### Topics:
* [[Connection|Usage Connection]]
* [[Authorization|Usage Authorization]]
* [[Secrets|Usage Secrets]]

1
_Sidebar.md

@ -5,3 +5,4 @@
# [[Usage Examples|Usage]]
* [[Connection|Usage Connection]]
* [[Authorization|Usage Authorization]]
* [[Secrets|Usage Secrets]]