Save random strings to the key/value v2 plugin
Use password policies to generate random strings and save the strings to your key/value v2 plugin.
Before you start
- **You must have
read
,create
, andupdate
permission for password policies. - You must have
create
andupdate
permission for yourkv
v2 plugin.
Step 1: Create a password policy file
Create an HCL file with a password policy with the desired randomization and generation rules.
For example, the following password policy requires a string 20 characters long that includes:
- at least one lowercase character
- at least one uppercase character
- at least one number
- at least two special characters
length=20
rule "charset" {
charset = "abcdefghijklmnopqrstuvwxyz"
min-chars = 1
}
rule "charset" {
charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
min-chars = 1
}
rule "charset" {
charset = "0123456789"
min-chars = 1
}
rule "charset" {
charset = "!@#$%^&*STUVWXYZ"
min-chars = 2
}
Step 2: Save the password policy
Use vault write
to save policies to the password policies endpoint
(sys/policies/password/<policy_name>
):
$ vault write sys/policies/password/<policy_name> policy=@<policy_file>
For example:
$ vault write sys/policies/password/randomize policy=@password-rules.hcl
Success! Data written to: sys/policies/password/randomize
Step 3: Save a random string to kv
v2
Use vault read
and the generate
endpoint of the new password policy to
generate a new random string and write it to the kv
plugin with
vault kv put
:
$ vault kv put \
-mount <mount_path> \
<secret_path> \
<key_name>=$( \
vault read -field password \
sys/policies/password/<policy_name>/generate \
)
For example:
$ vault kv put \
-mount shared \
/dev/seeds \
seed1=$( \
vault read -field password \
sys/policies/password/randomize/generate \
)
==== Secret Path ====
shared/data/dev/seeds
======= Metadata =======
Key Value
--- -----
created_time 2024-11-15T23:15:31.929717548Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
Step 4: Verify the data in Vault
Use vault kv get
with the -field
flag to read
the randomized string from the relevant secret path:
$ vault kv get \
-mount <mount_path> \
-field <field_name> \
<secret_path>
For example:
$ vault kv get -mount shared -field seed1 dev/seeds
g0bc0b6W3ii^SXa@*ie5