Save random strings to the key/value v2 plugin
Use password policies to generate random strings and save the strings to your key/value v2 plugin.
Before you start
- **You must have
read
,create
, andupdate
permission for password policies. - You must have
create
andupdate
permission for yourkv
v2 plugin.
Step 1: Create a password policy file
Create an HCL file with a password policy with the desired randomization and generation rules.
For example, the following password policy requires a string 20 characters long that includes:
- at least one lowercase character
- at least one uppercase character
- at least one number
- at least two special characters
length=20 rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1} rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1} rule "charset" { charset = "0123456789" min-chars = 1} rule "charset" { charset = "!@#$%^&*STUVWXYZ" min-chars = 2}
Step 2: Save the password policy
Use vault write
to save policies to the password policies endpoint
(sys/policies/password/<policy_name>
):
$ vault write sys/policies/password/<policy_name> policy=@<policy_file>
For example:
$ vault write sys/policies/password/randomize policy=@password-rules.hcl Success! Data written to: sys/policies/password/randomize
Step 3: Save a random string to kv
v2
Use vault read
and the generate
endpoint of the new password policy to
generate a new random string and write it to the kv
plugin with
vault kv put
:
$ vault kv put \ -mount <mount_path> \ <secret_path> \ <key_name>=$( \ vault read -field password \ sys/policies/password/<policy_name>/generate \ )
For example:
$ vault kv put \ -mount shared \ /dev/seeds \ seed1=$( \ vault read -field password \ sys/policies/password/randomize/generate \ ) ==== Secret Path ====shared/data/dev/seeds ======= Metadata =======Key Value--- -----created_time 2024-11-15T23:15:31.929717548Zcustom_metadata <nil>deletion_time n/adestroyed falseversion 1
Step 4: Verify the data in Vault
Use vault kv get
with the -field
flag to read
the randomized string from the relevant secret path:
$ vault kv get \ -mount <mount_path> \ -field <field_name> \ <secret_path>
For example:
$ vault kv get -mount shared -field seed1 dev/seeds g0bc0b6W3ii^SXa@*ie5