- Build Containers
- Initialize & unseal Vault
- Check services are registered & healthy
- Configure Vault
- Configure the PHP App
Use the helper script (bash) ./compose
:
./compose up
or you can manually run the following:
docker-compose -f docker-compose.yml -f vault.yml -f consul.yml up -d
bin/vault init
bin/vault unseal # 3 times
Then write a secret (e.g. mysql password):
bin/vault auth # enter root token
bin/vault write secret/app/mysql/password value=eureka1
The vault.yml
file exposes Vault's Consul client to the host machine. You can
access the Consul UI by browsing to "http://127.0.0.1:8500"
Next, we will mount the mysql
secrets backend and configure it to create
users for our database dynamically.
First use the mysql root
user to create another user that has GRANT
privileges on the myapp
database and can connect to it from the vault
container. The mysql root
password cab be found towards the top of the log
output of the mysql
container.
CREATE USER 'vault'@'%' IDENTIFIED BY 'some_pass';
GRANT ALL PRIVILEGES ON *.* TO 'vault'@'%' WITH GRANT OPTION;
# (the privileges above could be more restrictive)
FLUSH PRIVILEGES;
Then we will show Vault how to connect with that user:
bin/vault mount database
bin/vault write database/config/mysql "plugin_name=mysql-database-plugin connection_url=\"vault:some_pass@tcp(mysql:3306)/myapp\" allowed_roles=readonly"
bin/vault write database/roles/readonly \
db_name=mysql \
default_ttl=1h \
max_ttl=24h \
creation_statements=@/vault/config/mysql/readonly_grant.sql
# recommended: review that file to understand what's going on
You should now be able to ask Vault for access to the "myapp" database by
reading credentials (creds
) from the role we just created:
bin/vault read database/creds/readonly
Vault should print a username and password, that you (or an app) can use to
make SELECT
queries on the myapp
database.
- Install dependencies using Composer. You can do this on the host if you're
using PHP 7.0 or greater. Otherwise you'll have to login to the container:
./compose exec app bash
- Copy
.dist
files insideapp/src/config/autoload
and adjust if necessary. - Then create a policy in Vault for the app:
bin/vault policy-write app -< ./app/vault/acl.hcl
- And a token with that policy:
bin/vault token-create -policy=app -format=json > app/src/data/vault_token.json
Now you should be able to browse to http://localhost:8080/ and see Vault in action!
- The application will request a "readonly" role to Vault
- It will use that to query the
myapp
table for some info. - If all works, you should see a green success message in the homepage.
- Cache & automatically renew leases
- Use an Auth Backend (probably App Role) to avoid having to create and use
vault_token.json
- Create helper scripts that will automate the Vault setup