Deploys HashiCorp Vault for centralized secrets management in cloud environments with dynamic database/cloud credentials, Transit Encryption, PKI certs, and Kubernetes integration. Replaces hard-coded secrets in apps and CI/CD.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 应用程序将数据库密码、API 密钥或证书存储在环境变量或配置文件中时
Deploys HashiCorp Vault for centralized secrets management in cloud environments: dynamic secrets for databases/cloud providers, transit encryption, PKI, Kubernetes integration. Eliminates hardcoded credentials in apps and CI/CD via short-lived rotated secrets.
Deploys HashiCorp Vault in HA mode for dynamic secrets, transit encryption, PKI management, and Kubernetes integration to eliminate hardcoded credentials in apps and CI/CD.
Implements HashiCorp Vault dynamic secrets for database credentials, AWS IAM keys, and PKI certificates with automatic generation, lease management, and rotation to eliminate static secrets. Useful for configuring Vault engines, dynamic DB creds, ephemeral cloud creds, or auto rotation.
Share bugs, ideas, or general feedback.
不适用于:纯 AWS 环境(AWS Secrets Manager 已足够且无多云需求)、应用层加密逻辑(尽管 Vault Transit 可辅助实现),或身份联合(Identity Federation)场景(参见 managing-cloud-identity-with-okta)。
使用集成存储(Raft)部署 Vault,无需外部依赖即可实现 HA。配置 TLS、审计日志以及基于云 KMS 的自动解封(Auto-Unseal)。
# vault-config.hcl
storage "raft" {
path = "/opt/vault/data"
node_id = "vault-node-1"
retry_join {
leader_api_addr = "https://vault-node-2.internal:8200"
}
retry_join {
leader_api_addr = "https://vault-node-3.internal:8200"
}
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/tls/vault.crt"
tls_key_file = "/opt/vault/tls/vault.key"
}
seal "awskms" {
region = "us-east-1"
kms_key_id = "alias/vault-unseal-key"
}
api_addr = "https://vault-node-1.internal:8200"
cluster_addr = "https://vault-node-1.internal:8201"
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}
# 初始化 Vault
vault operator init -key-shares=5 -key-threshold=3
# 启用审计日志
vault audit enable file file_path=/var/log/vault/audit.log
# 启用 syslog 审计以集成 SIEM
vault audit enable syslog tag="vault" facility="AUTH"
为人工操作员、应用程序和 CI/CD 流水线启用认证后端。使用 AppRole 进行机器认证,使用 OIDC 进行人工访问。
# 通过 Okta 为人工用户启用 OIDC 认证
vault auth enable oidc
vault write auth/oidc/config \
oidc_discovery_url="https://company.okta.com/oauth2/default" \
oidc_client_id="vault-client-id" \
oidc_client_secret="vault-client-secret" \
default_role="default"
# 为应用程序认证启用 AppRole
vault auth enable approle
vault write auth/approle/role/web-app \
secret_id_ttl=10m \
token_num_uses=10 \
token_ttl=20m \
token_max_ttl=30m \
secret_id_num_uses=1 \
token_policies="web-app-policy"
# 为 Pod 访问启用 Kubernetes 认证
vault auth enable kubernetes
vault write auth/kubernetes/config \
kubernetes_host="https://kubernetes.default.svc:443" \
token_reviewer_jwt=@/var/run/secrets/kubernetes.io/serviceaccount/token \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
配置数据库密钥引擎,按需生成短期凭据。每组凭据都有 TTL,到期后自动撤销。
# 为 PostgreSQL 启用数据库密钥引擎
vault secrets enable database
vault write database/config/production-db \
plugin_name=postgresql-database-plugin \
allowed_roles="readonly,readwrite" \
connection_url="postgresql://{{username}}:{{password}}@db.internal:5432/production?sslmode=require" \
username="vault_admin" \
password="initial-password"
# 轮换根凭据,使 Vault 独占管理
vault write -force database/rotate-root/production-db
# 创建 TTL 为 1 小时的只读角色
vault write database/roles/readonly \
db_name=production-db \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
revocation_statements="REVOKE ALL ON ALL TABLES IN SCHEMA public FROM \"{{name}}\"; DROP ROLE IF EXISTS \"{{name}}\";" \
default_ttl="1h" \
max_ttl="24h"
# 启用 AWS 密钥引擎以动态生成 IAM 凭据
vault secrets enable aws
vault write aws/config/root \
access_key=AKIAEXAMPLE \
secret_key=secretkey \
region=us-east-1
vault write aws/roles/deploy-role \
credential_type=iam_user \
policy_document=@deploy-policy.json \
default_sts_ttl=3600
使用 Vault Agent Injector 或 CSI Provider,无需修改应用代码即可将密钥传递给 Pod。密钥以文件形式渲染到共享卷中。
# 带 Vault Agent Injector 注解的 Kubernetes Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-app
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "web-app"
vault.hashicorp.com/agent-inject-secret-db-creds: "database/creds/readonly"
vault.hashicorp.com/agent-inject-template-db-creds: |
{{- with secret "database/creds/readonly" -}}
export DB_USERNAME="{{ .Data.username }}"
export DB_PASSWORD="{{ .Data.password }}"
{{- end }}
spec:
serviceAccountName: web-app
containers:
- name: web-app
image: company/web-app:v2.1
command: ["/bin/sh", "-c", "source /vault/secrets/db-creds && ./start.sh"]
使用 Transit 密钥引擎实现应用层加密即服务,无需在应用代码中管理密钥。部署 PKI 引擎进行 TLS 证书自动管理。
# 启用 Transit 引擎实现加密即服务
vault secrets enable transit
vault write -f transit/keys/payment-data type=aes256-gcm96
# 加密敏感数据
vault write transit/encrypt/payment-data \
plaintext=$(echo "card-number-4111-1111-1111-1111" | base64)
# 启用 PKI 进行内部证书管理
vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
# 生成根 CA
vault write pki/root/generate/internal \
common_name="Internal Root CA" \
ttl=87600h
# 配置中间 CA 用于签发证书
vault secrets enable -path=pki_int pki
vault write pki_int/intermediate/generate/internal \
common_name="Internal Intermediate CA" \
ttl=43800h
# 创建证书签发角色
vault write pki_int/roles/internal-services \
allowed_domains="internal.company.com" \
allow_subdomains=true \
max_ttl=720h
按最小权限原则定义细粒度 ACL 策略。为所有密钥访问和管理操作启用全面的审计日志。
# web-app-policy.hcl
path "database/creds/readonly" {
capabilities = ["read"]
}
path "transit/encrypt/payment-data" {
capabilities = ["update"]
}
path "transit/decrypt/payment-data" {
capabilities = ["update"]
}
path "secret/data/web-app/*" {
capabilities = ["read", "list"]
}
# 禁止访问管理路径
path "sys/*" {
capabilities = ["deny"]
}
# 应用策略
vault policy write web-app-policy web-app-policy.hcl
# 验证审计日志捕获所有操作
vault audit list -detailed
| 术语 | 定义 |
|---|---|
| 动态密钥(Dynamic Secrets) | 按需生成并自动到期撤销的凭据,消除了长期静态凭据 |
| 密钥引擎(Secret Engine) | 存储、生成或加密数据的 Vault 组件;包括 KV、database、AWS、PKI 和 Transit 引擎 |
| 自动解封(Auto-Unseal) | 基于云 KMS 的机制,重启时自动解封 Vault 节点,无需手动输入密钥 |
| AppRole | 面向机器的认证方法,使用 Role ID 和 Secret ID 供应用程序和 CI/CD 流水线访问 |
| Transit 引擎(Transit Engine) | 加密即服务引擎,处理加密操作而不向应用程序暴露加密密钥 |
| 租约(Lease) | 带有 TTL 的时限凭据,到期后 Vault 自动撤销,除非续期 |
| 命名空间(Namespace) | Vault Enterprise 功能,提供独立的认证、密钥和策略管理的租户隔离 |
| 响应封装(Response Wrapping) | 将密钥响应封装在一次性令牌中的技术,防止传输过程中的中间人攻击暴露 |
场景背景:DevOps 团队将 PostgreSQL 凭据存储在 GitHub Actions 密钥和 Jenkins 凭据存储中。同一组凭据在测试和生产环境中共用,18 个月未进行轮换。
方法:
常见陷阱:Vault 迁移后未轮换原始静态凭据,导致旧凭据仍然有效。TTL 设置过短导致长时间运行的作业在部署过程中凭据过期。
Vault 密钥管理审计报告
=======================================
Vault 集群: vault.internal.company.com
版本: 1.18.1 Enterprise
HA 模式: Raft (3 节点)
封印类型: AWS KMS 自动解封
报告日期: 2025-02-23
密钥引擎:
database/ PostgreSQL 动态凭据 活跃租约: 47
aws/ 动态 IAM 凭据 活跃租约: 12
transit/ 加密即服务 密钥数: 8
pki/ 根 CA 已签发证书: 0
pki_int/ 中间 CA 已签发证书: 234
secret/ KV v2 静态密钥 版本数: 1,892
认证方法:
oidc/ Okta SSO(人工用户) 活跃令牌: 23
approle/ CI/CD 流水线 活跃令牌: 156
kubernetes/ 基于 Pod 的认证 活跃令牌: 89
审计发现:
[WARN] 3 个 AppRole 的 secret_id_num_uses 设为 0(无限制)
[WARN] 12 个 KV 密钥超过 90 天未访问(潜在孤儿密钥)
[PASS] 所有动态密钥 TTL 均低于 24 小时
[PASS] 所有节点已启用审计日志
[PASS] 初始设置后根令牌已撤销
凭据卫生:
静态密钥 (KV): 234
活跃动态密钥: 59
平均租约 TTL: 2.3 小时
本月已轮换密钥数: 12,456