1. Commands

gcloud kms keys add-iam-policy-binding \
  vault-init \
  --location global \
  --keyring vault \
  --member  vault-919@altenar-x001-vault.iam.gserviceaccount.com \
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter \
  --role cloudkms.cryptoKeys.get \
  --project altenar-x001-vault

  gcloud kms keys add-iam-policy-binding \
   vault-init \
   --location global \
   --keyring vault \
   --member serviceAccount:vault-919@altenar-x001-vault.iam.gserviceaccount.com \
   --role roles/cloudkms.cryptoKeyEncrypterDecrypter \
   --role roles/cloudkms.admin \
   --project altenar-x001-vault

kubectl -n vault exec -it vault-0 -- sh

vault operator init
vault status
export VAULT_TOKEN=s.pmC3bJaRGIBTNeT5hZlxskRR
vault operator raft list-peers


Recovery Key 1: BtwbjRVIS1DoptICZHhyXfirtz+Iah05l6xpCjWAwEP7
Recovery Key 2: Au4IWqbWkxGVQM8URD1TDf4lEQCsF55BUVcfKNfiugUI
Recovery Key 3: tzL5nb3ZXwmpojIDDB+FwsKSVV9NYEh1ZwGbOu5Gv/LW
Recovery Key 4: VEThdhrLUzlVlGLbMy1pPfi3b32lmlboy7UEzAtGAkrp
Recovery Key 5: EBX2urU++Xi9zbkou8htpjn7UwECWsUp55hcAU26BvyJ

Initial Root Token: s.pmC3bJaRGIBTNeT5hZlxskRR


vault operator raft join -leader-ca-cert="$(cat /vault/userconfig/vault-tls/vault_ca)" --address "https://vault-1.vault-internal:8200" "https://vault-0.vault-internal:8200"

vault operator raft join -leader-ca-cert="$(cat /vault/userconfig/vault-tls/vault_ca)" --address "https://vault-2.vault-internal:8200" "https://vault-0.vault-internal:8200"

vault operator raft list-peers

VAULT_CLIENT_TIMEOUT=300s vault operator init

vault secrets enable -version=1 kv

--- Snapshot TEST----
vault kv put kv/my-secret my-value=s3cr3t
vault kv get kv/my-secret
vault operator raft snapshot save /tmp/test.snap
vault kv delete kv/my-secret
vault kv get kv/my-secret
vault operator raft snapshot restore /tmp/test.snap
vault kv get kv/my-secre


----

To generate unseal keys for Keybase users, Vault accepts the keybase: prefix to the -pgp-keys argument:

$ vault operator init -key-shares=3 -key-threshold=2 \    -pgp-keys="keybase:jefferai,keybase:vishalnayak,keybase:sethvargo"

---------HTTP-- 
vault operator raft list-peers
vault operator raft join --address "http://vault-1.vault-internal:8200" "http://vault-0.vault-internal:8200"
vault operator raft join --address "http://vault-2.vault-internal:8200" "http://vault-0.vault-internal:8200"
kubectl cp default/vault-0:/tmp/importtest.snap ~/dumps/importtest.snap


kubectl cp ~/dumps/importtest.snap default/vault-0:/tmp/importtest.snap

vault operator raft snapshot restore -force /tmp/importtest.snap

vault operator unseal 5NHweUaukTW/bpuaT6DhIZBbY6sLJOE4e5mNNmPQ5F62
vault operator unseal 1ebjHOMDhF7DdNb+3MvddCFlJBI6cg3EPXP4gfOUgXSE
vault operator unseal aqsQbSG8g0XUvEE+D45U0RtGnj02BcDWqk20yYQ5iuMu

vault operator raft list-peers
PreviousOutput a DataFrame to CSVNext2. More commands

Last updated

Was this helpful?