设置 Azure
首先建立一个 Storage account,获得:
- storage account 的名字
- accountkey(两个之一即可)
然后建立一个 Key Vault,去 keys 里面新建一个 key,获得:
- Tenant ID
- key vault 的名字
- 新建的 key 的名字
然后我们需要设置 Key Vault 的 access policy。
- 如果 Vault 程序运行在 Azure VM 上,那么需要加一下那台虚拟机
- 否则,去 Azure AD 注册一个新的 application,加一下那个 application
权限的话 key permissions 里面全选即可。如果你注册了一个新的 application,那么需要在 application 里面生成一个 client secret。
设置 Hashicorp Vault
参考配置文件:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
|
storage "azure" { accountName = "storage-account-name" accountKey = "storage-account-key" container = "blob-storage-name" environment = "AzurePublicCloud" } seal "azurekeyvault" { tenant_id = "your-aad-tenant-id" vault_name = "key-vault-name" key_name = "key-name" # only if Vault server is not run on Azure VM: client_id = "aad application client id" client_secret = "aad application client secret" } listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } ui = true #log_level = "Trace" default_lease_ttl = "30m" max_lease_ttl = "43800h" disable_mlock = false disable_cache = false cluster_name = "test-cluster" # cannot use with free version disable_sealwrap = true |
初始化 Hashicorp Vault
|
.\vault.exe server "-config=vault.conf" |
启动服务器,然后访问 http://localhost:8200/ui/vault/init
完成初始化向导即可。