Influxdata
/
docs-v2
mirror of https://github.com/influxdata/docs-v2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #166 from influxdata/vault-secrets 

Vault secrets
pull/176/head
Scott Anderson 2019-04-18 12:02:25 -06:00 committed by GitHub
parent 8f07c36620 157d921b6d
commit 8ca4eacc0b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 151 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
content/v2.0/organizations/view-orgs.md
View File

@ -33,3 +33,25 @@ influx org find
Filtering options such as filtering by name or ID are available. Filtering options such as filtering by name or ID are available.
See the [`influx org find` documentation](/v2.0/reference/cli/influx/org/find) See the [`influx org find` documentation](/v2.0/reference/cli/influx/org/find)
for information about other available flags. for information about other available flags.
## View your organization ID
Use the InfluxDB UI or `influx` CLI to view your organization ID.
### Organization ID in the UI
After logging in to the InfluxDB UI, your organization ID appears in the URL.
<pre class="highlight">
http://localhost:9999/orgs/<span class="bp" style="font-weight:bold;margin:0 .15rem">03a2bbf46249a000</span>/...
</pre>
### Organization ID in the CLI
Use [`influx org find`](#view-organizations-using-the-influx-cli) to view your organization ID.
```sh
> influx org find
ID Name
03a2bbf46249a000 org-1
03ace3a859669000 org-2
```

129
content/v2.0/security/use-vault.md Normal file
View File

@ -0,0 +1,129 @@
---
title: Store InfluxDB secrets in Vault
description: Manage authentication tokens in InfluxDB using the InfluxDB UI or the influx CLI.
v2.0/tags: [tokens, security]
menu:
v2_0:
parent: Security & authorization
weight: 102
---
[Vault](https://www.vaultproject.io/) secures, stores, and tightly controls access
to tokens, passwords, certificates, and other sensitive secrets.
Store sensitive secrets in Vault using the InfluxDB built-in Vault integration.
{{% note %}}
When not using Vault, secrets are Base64-encoded and stored in the InfluxDB embedded key value store,
[BoltDB](https://github.com/boltdb/bolt).
{{% /note %}}
## Start a Vault server
Start a Vault server and ensure InfluxDB has network (HTTP) access to the server.
The following links provide information about running Vault in both development and production:
- [Install Vault](https://learn.hashicorp.com/vault/getting-started/install)
- [Start a Vault dev server](https://learn.hashicorp.com/vault/getting-started/dev-server)
- [Deploy Vault](https://learn.hashicorp.com/vault/getting-started/deploy)
For this example, install Vault on your local machine and start a Vault dev server.
```sh
vault server -dev
```
## Define Vault environment variables
Use [Vault environment variables](https://www.vaultproject.io/docs/commands/index.html#environment-variables)
to provide connection credentials and other important Vault-related information to InfluxDB.
#### Required environment variables
- `VAULT_ADDR`: The API address of your Vault server _(provided in the Vault server output)_.
- `VAULT_TOKEN`: The [Vault token](https://learn.hashicorp.com/vault/getting-started/authentication)
required to access your Vault server.
_Your Vault server configuration may require other environment variables._
```sh
export VAULT_ADDR='http://127.0.0.1:8200' VAULT_TOKEN='s.0X0XxXXx0xXxXXxxxXxXxX0x'
```
## Start InfluxDB
Start the [`influxd` service](/v2.0/reference/cli/influxd/) with the `--secret-store`
option set to `vault`.
```bash
influxd --secret-store vault
```
## Test Vault storage
With Vault and InfluxDB servers running, use the InfluxDB API to test Vault:
{{% note %}}
Replace `<org-id>` with your [organization ID](/v2.0/organizations/view-orgs/#view-your-organization-id)
and `YOURAUTHTOKEN` with your [InfluxDB authentication token](/v2.0/security/tokens/).
{{% /note %}}
##### Retrieve an organization's secrets
```sh
curl --request GET \
--url http://localhost:9999/api/v2/orgs/<org-id>/secrets \
--header 'authorization: Token YOURAUTHTOKEN'
# should return
# {
# "links": {
# "org": "/api/v2/orgs/031c8cbefe101000",
# "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
# },
# "secrets": []
# }
```
##### Add secrets to an organization
```sh
curl --request PATCH \
--url http://localhost:9999/api/v2/orgs/<org-id>/secrets \
--header 'authorization: Token YOURAUTHTOKEN' \
--header 'content-type: application/json' \
--data '{
"foo": "bar",
"hello": "world"
}'
# should return 204 no content
```
##### Retrieve the added secrets
```bash
curl --request GET \
--url http://localhost:9999/api/v2/orgs/<org-id>/secrets \
--header 'authorization: Token YOURAUTHTOKEN'
# should return
# {
# "links": {
# "org": "/api/v2/orgs/031c8cbefe101000",
# "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
# },
# "secrets": [
# "foo",
# "hello"
# ]
# }
```
## Vault secrets storage
For each organization, InfluxDB creates a [secrets engine](https://learn.hashicorp.com/vault/getting-started/secrets-engines)
using the following pattern:
```
/secret/data/<org-id>
```
Secrets are stored in Vault as key value pairs in their respective secrets engines.
```
/secret/data/031c8cbefe101000 ->
this_key: foo
that_key: bar
a_secret: key
```