Merge pull request #166 from influxdata/vault-secrets

Vault secrets
2019-04-18 12:02:25 -06:00 · 2019-04-18 12:02:25 -06:00 · 8ca4eacc0b
parent 8f07c36620 157d921b6d
commit 8ca4eacc0b
2 changed files with 151 additions and 0 deletions
--- a/content/v2.0/organizations/view-orgs.md
+++ b/content/v2.0/organizations/view-orgs.md
@ -33,3 +33,25 @@ influx org find
 Filtering options such as filtering by name or ID are available.
 See the [`influx org find` documentation](/v2.0/reference/cli/influx/org/find)
 for information about other available flags.
+
+## View your organization ID
+Use the InfluxDB UI or `influx` CLI to view your organization ID.
+
+### Organization ID in the UI
+After logging in to the InfluxDB UI, your organization ID appears in the URL.
+
+<pre class="highlight">
+http://localhost:9999/orgs/<span class="bp" style="font-weight:bold;margin:0 .15rem">03a2bbf46249a000</span>/...
+</pre>
+
+
+### Organization ID in the CLI
+Use [`influx org find`](#view-organizations-using-the-influx-cli) to view your organization ID.
+
+```sh
+> influx org find
+
+ID                  Name
+03a2bbf46249a000    org-1
+03ace3a859669000    org-2
+```
--- a/content/v2.0/security/use-vault.md
+++ b/content/v2.0/security/use-vault.md
@ -0,0 +1,129 @@
+---
+title: Store InfluxDB secrets in Vault
+description: Manage authentication tokens in InfluxDB using the InfluxDB UI or the influx CLI.
+v2.0/tags: [tokens, security]
+menu:
+  v2_0:
+    parent: Security & authorization
+weight: 102
+---
+
+[Vault](https://www.vaultproject.io/) secures, stores, and tightly controls access
+to tokens, passwords, certificates, and other sensitive secrets.
+Store sensitive secrets in Vault using the InfluxDB built-in Vault integration.
+
+{{% note %}}
+When not using Vault, secrets are Base64-encoded and stored in the InfluxDB embedded key value store,
+[BoltDB](https://github.com/boltdb/bolt).
+{{% /note %}}
+
+## Start a Vault server
+Start a Vault server and ensure InfluxDB has network (HTTP) access to the server.
+The following links provide information about running Vault in both development and production:
+
+- [Install Vault](https://learn.hashicorp.com/vault/getting-started/install)
+- [Start a Vault dev server](https://learn.hashicorp.com/vault/getting-started/dev-server)
+- [Deploy Vault](https://learn.hashicorp.com/vault/getting-started/deploy)
+
+For this example, install Vault on your local machine and start a Vault dev server.
+
+```sh
+vault server -dev
+```
+
+## Define Vault environment variables
+Use [Vault environment variables](https://www.vaultproject.io/docs/commands/index.html#environment-variables)
+to provide connection credentials and other important Vault-related information to InfluxDB.
+
+#### Required environment variables
+- `VAULT_ADDR`: The API address of your Vault server _(provided in the Vault server output)_.
+- `VAULT_TOKEN`: The [Vault token](https://learn.hashicorp.com/vault/getting-started/authentication)
+  required to access your Vault server.
+
+_Your Vault server configuration may require other environment variables._
+
+```sh
+export VAULT_ADDR='http://127.0.0.1:8200' VAULT_TOKEN='s.0X0XxXXx0xXxXXxxxXxXxX0x'
+```
+
+## Start InfluxDB
+Start the [`influxd` service](/v2.0/reference/cli/influxd/) with the `--secret-store`
+option set to `vault`.
+
+```bash
+influxd --secret-store vault
+```
+
+## Test Vault storage
+With Vault and InfluxDB servers running, use the InfluxDB API to test Vault:
+
+{{% note %}}
+Replace `<org-id>` with your [organization ID](/v2.0/organizations/view-orgs/#view-your-organization-id)
+and `YOURAUTHTOKEN` with your [InfluxDB authentication token](/v2.0/security/tokens/).
+{{% /note %}}
+
+##### Retrieve an organization's secrets
+```sh
+curl --request GET \
+  --url http://localhost:9999/api/v2/orgs/<org-id>/secrets \
+  --header 'authorization: Token YOURAUTHTOKEN'
+
+# should return
+#  {
+#    "links": {
+#      "org": "/api/v2/orgs/031c8cbefe101000",
+#      "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
+#    },
+#    "secrets": []
+#  }
+```
+
+##### Add secrets to an organization
+```sh
+curl --request PATCH \
+  --url http://localhost:9999/api/v2/orgs/<org-id>/secrets \
+  --header 'authorization: Token YOURAUTHTOKEN' \
+  --header 'content-type: application/json' \
+  --data '{
+	"foo": "bar",
+	"hello": "world"
+}'
+
+# should return 204 no content
+```
+
+##### Retrieve the added secrets
+```bash
+curl --request GET \
+  --url http://localhost:9999/api/v2/orgs/<org-id>/secrets \
+  --header 'authorization: Token YOURAUTHTOKEN'
+
+# should return
+#  {
+#    "links": {
+#      "org": "/api/v2/orgs/031c8cbefe101000",
+#      "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
+#    },
+#    "secrets": [
+#      "foo",
+#      "hello"
+#    ]
+#  }
+```
+
+## Vault secrets storage
+For each organization, InfluxDB creates a [secrets engine](https://learn.hashicorp.com/vault/getting-started/secrets-engines)
+using the following pattern:
+
+```
+/secret/data/<org-id>
+```
+
+Secrets are stored in Vault as key value pairs in their respective secrets engines.
+
+```
+/secret/data/031c8cbefe101000 ->
+  this_key: foo
+  that_key: bar
+  a_secret: key
+```