{"id":35030,"date":"2024-10-07T15:58:27","date_gmt":"2024-10-07T08:58:27","guid":{"rendered":"http:\/\/jupitek.maudemo.vip\/index.php\/2024\/10\/07\/use-hashicorp-vault-to-manage-secrets\/"},"modified":"2024-10-07T15:58:27","modified_gmt":"2024-10-07T08:58:27","slug":"use-hashicorp-vault-to-manage-secrets","status":"publish","type":"post","link":"https:\/\/jupitek.maudemo.vip\/index.php\/2024\/10\/07\/use-hashicorp-vault-to-manage-secrets\/","title":{"rendered":"S\u1eed d\u1ee5ng HashiCorp Vault \u0111\u1ec3 qu\u1ea3n l\u00fd Secrets"},"content":{"rendered":"<p><a href=\"https:\/\/www.vaultproject.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">HashiCorp Vault<\/a>&nbsp;l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 qu\u1ea3n l\u00fd b\u00ed m\u1eadt gi\u00fap cung c\u1ea5p quy\u1ec1n truy c\u1eadp an to\u00e0n, t\u1ef1 \u0111\u1ed9ng v\u00e0o d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m. Vault \u0111\u00e1p \u1ee9ng c\u00e1c tr\u01b0\u1eddng h\u1ee3p s\u1eed d\u1ee5ng n\u00e0y b\u1eb1ng c\u00e1ch gh\u00e9p c\u00e1c ph\u01b0\u01a1ng ph\u00e1p x\u00e1c th\u1ef1c (nh\u01b0 m\u00e3 th\u00f4ng b\u00e1o \u1ee9ng d\u1ee5ng) v\u1edbi c\u00e1c c\u00f4ng c\u1ee5 b\u00ed m\u1eadt (nh\u01b0 c\u1eb7p kh\u00f3a\/gi\u00e1 tr\u1ecb \u0111\u01a1n gi\u1ea3n) b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng c\u00e1c ch\u00ednh s\u00e1ch \u0111\u1ec3 ki\u1ec3m so\u00e1t c\u00e1ch c\u1ea5p quy\u1ec1n truy c\u1eadp. Trong h\u01b0\u1edbng d\u1eabn n\u00e0y, b\u1ea1n s\u1ebd c\u00e0i \u0111\u1eb7t, c\u1ea5u h\u00ecnh v\u00e0 truy c\u1eadp Vault trong m\u1ed9t v\u00ed d\u1ee5 tri\u1ec3n khai \u0111\u1ec3 minh h\u1ecda c\u00e1c t\u00ednh n\u0103ng v\u00e0 API c\u1ee7a Vault.<\/p>\n<p>H\u01b0\u1edbng d\u1eabn n\u00e0y s\u1ebd s\u1eed d\u1ee5ng phi\u00ean b\u1ea3n m\u1edbi nh\u1ea5t c\u1ee7a Vault, l\u00e0 1.1.0 t\u1ea1i th\u1eddi \u0111i\u1ec3m vi\u1ebft b\u00e0i n\u00e0y.<\/p>\n<h3 id=\"why-use-vault\">T\u1ea1i sao n\u00ean s\u1eed d\u1ee5ng Vault?<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#why-use-vault\"><\/a><\/h3>\n<p>M\u1ed9t d\u1ecbch v\u1ee5 nh\u01b0 Vault \u0111\u00f2i h\u1ecfi n\u1ed7 l\u1ef1c v\u1eadn h\u00e0nh \u0111\u1ec3 ch\u1ea1y an to\u00e0n v\u00e0 hi\u1ec7u qu\u1ea3. V\u1edbi s\u1ef1 ph\u1ee9c t\u1ea1p gia t\u0103ng khi s\u1eed d\u1ee5ng Vault nh\u01b0 m\u1ed9t ph\u1ea7n c\u1ee7a \u1ee9ng d\u1ee5ng, theo c\u00e1ch n\u00e0o n\u00f3 t\u1ea1o th\u00eam gi\u00e1 tr\u1ecb?<\/p>\n<p>H\u00e3y xem x\u00e9t m\u1ed9t \u1ee9ng d\u1ee5ng \u0111\u01a1n gi\u1ea3n ph\u1ea3i s\u1eed d\u1ee5ng m\u00e3 th\u00f4ng b\u00e1o API ho\u1eb7c gi\u00e1 tr\u1ecb b\u00ed m\u1eadt kh\u00e1c. L\u00e0m th\u1ebf n\u00e0o \u0111\u1ec3 cung c\u1ea5p th\u00f4ng tin x\u00e1c th\u1ef1c nh\u1ea1y c\u1ea3m n\u00e0y cho \u1ee9ng d\u1ee5ng khi ch\u1ea1y?<\/p>\n<ul>\n<li>Vi\u1ec7c cam k\u1ebft b\u00ed m\u1eadt c\u00f9ng v\u1edbi ph\u1ea7n c\u00f2n l\u1ea1i c\u1ee7a m\u00e3 \u1ee9ng d\u1ee5ng trong h\u1ec7 th\u1ed1ng ki\u1ec3m so\u00e1t phi\u00ean b\u1ea3n nh\u01b0 v\u1eady&nbsp;<code>git<\/code>l\u00e0 m\u1ed9t bi\u1ec7n ph\u00e1p b\u1ea3o m\u1eadt k\u00e9m v\u00ec nhi\u1ec1u l\u00fd do, bao g\u1ed3m c\u1ea3 vi\u1ec7c gi\u00e1 tr\u1ecb nh\u1ea1y c\u1ea3m \u0111\u01b0\u1ee3c ghi l\u1ea1i d\u01b0\u1edbi d\u1ea1ng v\u0103n b\u1ea3n thu\u1ea7n t\u00fay v\u00e0 kh\u00f4ng \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 theo b\u1ea5t k\u1ef3 c\u00e1ch n\u00e0o.<\/li>\n<li>Vi\u1ec7c ghi l\u1ea1i b\u00ed m\u1eadt trong m\u1ed9t t\u1ec7p \u0111\u01b0\u1ee3c chuy\u1ec3n \u0111\u1ebfn m\u1ed9t \u1ee9ng d\u1ee5ng \u0111\u00f2i h\u1ecfi t\u1ec7p \u0111\u00f3 ph\u1ea3i \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef an to\u00e0n ngay t\u1eeb \u0111\u1ea7u v\u00e0 \u0111\u01b0\u1ee3c ki\u1ec3m so\u00e1t quy\u1ec1n truy c\u1eadp ch\u1eb7t ch\u1ebd.<\/li>\n<li>R\u1ea5t kh\u00f3 \u0111\u1ec3 xoay v\u00f2ng ho\u1eb7c h\u1ea1n ch\u1ebf quy\u1ec1n truy c\u1eadp v\u00e0o th\u00f4ng tin x\u00e1c th\u1ef1c t\u0129nh n\u1ebfu \u1ee9ng d\u1ee5ng b\u1ecb x\u00e2m ph\u1ea1m.<\/li>\n<\/ul>\n<p>Vault gi\u1ea3i quy\u1ebft nh\u1eefng v\u1ea5n \u0111\u1ec1 n\u00e0y v\u00e0 nhi\u1ec1u v\u1ea5n \u0111\u1ec1 kh\u00e1c theo nhi\u1ec1u c\u00e1ch, bao g\u1ed3m:<\/p>\n<ul>\n<li>C\u00e1c d\u1ecbch v\u1ee5 v\u00e0 \u1ee9ng d\u1ee5ng ch\u1ea1y m\u00e0 kh\u00f4ng c\u1ea7n s\u1ef1 t\u01b0\u01a1ng t\u00e1c c\u1ee7a ng\u01b0\u1eddi v\u1eadn h\u00e0nh c\u00f3 th\u1ec3 x\u00e1c th\u1ef1c v\u1edbi Vault b\u1eb1ng c\u00e1c gi\u00e1 tr\u1ecb c\u00f3 th\u1ec3 xoay v\u00f2ng, thu h\u1ed3i v\u00e0 ki\u1ec3m so\u00e1t quy\u1ec1n.<\/li>\n<li>M\u1ed9t s\u1ed1&nbsp;<a href=\"https:\/\/www.vaultproject.io\/docs\/secrets\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">c\u00f4ng c\u1ee5 b\u1ea3o m\u1eadt<\/a>&nbsp;c\u00f3 th\u1ec3 t\u1ea1o ra c\u00e1c b\u00ed m\u1eadt t\u1ea1m th\u1eddi, \u0111\u01b0\u1ee3c t\u1ea1o \u0111\u1ed9ng \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o th\u00f4ng tin x\u00e1c th\u1ef1c s\u1ebd h\u1ebft h\u1ea1n sau m\u1ed9t kho\u1ea3ng th\u1eddi gian.<\/li>\n<li>Ch\u00ednh s\u00e1ch d\u00e0nh cho ng\u01b0\u1eddi d\u00f9ng v\u00e0 t\u00e0i kho\u1ea3n m\u00e1y c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c ki\u1ec3m so\u00e1t ch\u1eb7t ch\u1ebd \u0111\u1ed1i v\u1edbi c\u00e1c lo\u1ea1i quy\u1ec1n truy c\u1eadp c\u1ee5 th\u1ec3 v\u00e0o c\u00e1c \u0111\u01b0\u1eddng d\u1eabn c\u1ee5 th\u1ec3.<\/li>\n<\/ul>\n<h2 id=\"concepts\">C\u00e1c kh\u00e1i ni\u1ec7m<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#concepts\"><\/a><\/h2>\n<p>Tr\u01b0\u1edbc khi ti\u1ebfp t\u1ee5c, b\u1ea1n n\u00ean l\u00e0m quen v\u1edbi c\u00e1c thu\u1eadt ng\u1eef v\u00e0 kh\u00e1i ni\u1ec7m quan tr\u1ecdng c\u1ee7a Vault s\u1ebd \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng sau trong h\u01b0\u1edbng d\u1eabn n\u00e0y.<\/p>\n<ul>\n<li>M\u00e3&nbsp;<strong>th\u00f4ng b\u00e1o<\/strong>&nbsp;l\u00e0 c\u01a1 ch\u1ebf c\u01a1 b\u1ea3n h\u1ed7 tr\u1ee3 quy\u1ec1n truy c\u1eadp v\u00e0o t\u00e0i nguy\u00ean Vault. Cho d\u00f9 ng\u01b0\u1eddi d\u00f9ng x\u00e1c th\u1ef1c v\u1edbi Vault b\u1eb1ng m\u00e3 th\u00f4ng b\u00e1o GitHub hay d\u1ecbch v\u1ee5 do \u1ee9ng d\u1ee5ng \u0111i\u1ec1u khi\u1ec3n x\u00e1c th\u1ef1c b\u1eb1ng&nbsp;<a href=\"https:\/\/www.vaultproject.io\/docs\/auth\/approle.html\" target=\"_blank\" rel=\"noreferrer noopener\">AppRole<\/a>&nbsp;RoleID v\u00e0 SecretID, th\u00ec t\u1ea5t c\u1ea3 c\u00e1c h\u00ecnh th\u1ee9c x\u00e1c th\u1ef1c cu\u1ed1i c\u00f9ng \u0111\u1ec1u \u0111\u01b0\u1ee3c chu\u1ea9n h\u00f3a th\u00e0nh&nbsp;<strong>m\u00e3 th\u00f4ng b\u00e1o<\/strong>&nbsp;. M\u00e3 th\u00f4ng b\u00e1o th\u01b0\u1eddng c\u00f3 th\u1eddi gian t\u1ed3n t\u1ea1i ng\u1eafn (t\u1ee9c l\u00e0 h\u1ebft h\u1ea1n sau m\u1ed9t kho\u1ea3ng th\u1eddi gian ho\u1eb7c th\u1eddi gian t\u1ed3n t\u1ea1i, ho\u1eb7c&nbsp;<code>ttl<\/code>) v\u00e0 c\u00f3 m\u1ed9t ho\u1eb7c nhi\u1ec1u&nbsp;<em>ch\u00ednh s\u00e1ch<\/em>&nbsp;\u0111\u01b0\u1ee3c \u0111\u00ednh k\u00e8m v\u00e0o ch\u00fang.<\/li>\n<li><strong>Ch\u00ednh s\u00e1ch<\/strong>&nbsp;Vault ch\u1ec9 \u0111\u1ecbnh m\u1ed9t s\u1ed1 h\u00e0nh \u0111\u1ed9ng nh\u1ea5t \u0111\u1ecbnh c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n tr\u00ean&nbsp;<strong>\u0111\u01b0\u1eddng d\u1eabn<\/strong>&nbsp;Vault&nbsp;. C\u00e1c kh\u1ea3 n\u0103ng nh\u01b0 kh\u1ea3 n\u0103ng \u0111\u1ecdc b\u00ed m\u1eadt, ghi b\u00ed m\u1eadt v\u00e0 x\u00f3a ch\u00fang \u0111\u1ec1u l\u00e0 v\u00ed d\u1ee5 v\u1ec1 c\u00e1c h\u00e0nh \u0111\u1ed9ng \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh trong ch\u00ednh s\u00e1ch cho m\u1ed9t&nbsp;<strong>\u0111\u01b0\u1eddng d\u1eabn<\/strong>&nbsp;c\u1ee5 th\u1ec3 .<\/li>\n<li>\u0110\u01b0\u1eddng&nbsp;<strong>d\u1eabn<\/strong>&nbsp;trong Vault c\u00f3 d\u1ea1ng t\u01b0\u01a1ng t\u1ef1 nh\u01b0 \u0111\u01b0\u1eddng d\u1eabn h\u1ec7 th\u1ed1ng t\u1ec7p Unix (nh\u01b0&nbsp;<code>\/etc<\/code>) ho\u1eb7c URL (nh\u01b0&nbsp;<code>\/blog\/title<\/code>). Ng\u01b0\u1eddi d\u00f9ng v\u00e0 t\u00e0i kho\u1ea3n m\u00e1y t\u01b0\u01a1ng t\u00e1c v\u1edbi Vault qua c\u00e1c \u0111\u01b0\u1eddng d\u1eabn c\u1ee5 th\u1ec3 \u0111\u1ec3 truy xu\u1ea5t b\u00ed m\u1eadt, thay \u0111\u1ed5i c\u00e0i \u0111\u1eb7t ho\u1eb7c t\u01b0\u01a1ng t\u00e1c theo c\u00e1ch kh\u00e1c v\u1edbi d\u1ecbch v\u1ee5 Vault \u0111ang ch\u1ea1y. T\u1ea5t c\u1ea3 quy\u1ec1n truy c\u1eadp Vault \u0111\u1ec1u \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n qua giao di\u1ec7n REST, v\u00ec v\u1eady c\u00e1c \u0111\u01b0\u1eddng d\u1eabn n\u00e0y cu\u1ed1i c\u00f9ng s\u1ebd c\u00f3 d\u1ea1ng URL HTTP. Trong khi m\u1ed9t s\u1ed1 \u0111\u01b0\u1eddng d\u1eabn t\u01b0\u01a1ng t\u00e1c v\u1edbi ch\u00ednh d\u1ecbch v\u1ee5 Vault \u0111\u1ec3 qu\u1ea3n l\u00fd c\u00e1c t\u00e0i nguy\u00ean nh\u01b0 ch\u00ednh s\u00e1ch ho\u1eb7c c\u00e0i \u0111\u1eb7t, nhi\u1ec1u \u0111\u01b0\u1eddng d\u1eabn \u0111\u00f3ng vai tr\u00f2 l\u00e0 \u0111i\u1ec3m cu\u1ed1i \u0111\u1ec3 x\u00e1c th\u1ef1c v\u1edbi Vault ho\u1eb7c t\u01b0\u01a1ng t\u00e1c v\u1edbi&nbsp;<strong>c\u00f4ng c\u1ee5 b\u00ed m\u1eadt<\/strong>&nbsp;.<\/li>\n<li>C\u00f4ng&nbsp;<strong>c\u1ee5 b\u00ed m\u1eadt<\/strong>&nbsp;l\u00e0 m\u1ed9t backend \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong Vault \u0111\u1ec3 cung c\u1ea5p b\u00ed m\u1eadt cho ng\u01b0\u1eddi d\u00f9ng Vault. V\u00ed d\u1ee5 \u0111\u01a1n gi\u1ea3n nh\u1ea5t v\u1ec1&nbsp;<strong>c\u00f4ng c\u1ee5 b\u00ed m\u1eadt<\/strong>&nbsp;l\u00e0&nbsp;<a href=\"https:\/\/www.vaultproject.io\/docs\/secrets\/kv\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">backend kh\u00f3a\/gi\u00e1 tr\u1ecb<\/a>&nbsp;, ch\u1ec9 tr\u1ea3 v\u1ec1 c\u00e1c gi\u00e1 tr\u1ecb v\u0103n b\u1ea3n thu\u1ea7n t\u00fay c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef t\u1ea1i c\u00e1c \u0111\u01b0\u1eddng d\u1eabn c\u1ee5 th\u1ec3 (c\u00e1c b\u00ed m\u1eadt n\u00e0y v\u1eabn \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a tr\u00ean backend). C\u00e1c v\u00ed d\u1ee5 kh\u00e1c v\u1ec1 backend b\u00ed m\u1eadt bao g\u1ed3m&nbsp;<a href=\"https:\/\/www.vaultproject.io\/docs\/secrets\/pki\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">backend PKI<\/a>&nbsp;, c\u00f3 th\u1ec3 t\u1ea1o v\u00e0 qu\u1ea3n l\u00fd ch\u1ee9ng ch\u1ec9 TLS, v\u00e0&nbsp;<a href=\"https:\/\/www.vaultproject.io\/docs\/secrets\/totp\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">backend TOTP<\/a>&nbsp;, c\u00f3 th\u1ec3 t\u1ea1o m\u1eadt kh\u1ea9u m\u1ed9t l\u1ea7n t\u1ea1m th\u1eddi cho c\u00e1c trang web y\u00eau c\u1ea7u x\u00e1c th\u1ef1c \u0111a y\u1ebfu t\u1ed1 (bao g\u1ed3m c\u1ea3 Linode Manager).<\/li>\n<\/ul>\n<h2 id=\"installation\">C\u00e0i \u0111\u1eb7t<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#installation\"><\/a><\/h2>\n<p>H\u01b0\u1edbng d\u1eabn n\u00e0y s\u1ebd thi\u1ebft l\u1eadp Vault trong c\u1ea5u h\u00ecnh h\u1ec7 th\u1ed1ng t\u1eadp tin c\u1ee5c b\u1ed9 \u0111\u01a1n gi\u1ea3n. C\u00e1c b\u01b0\u1edbc \u0111\u01b0\u1ee3c li\u1ec7t k\u00ea \u1edf \u0111\u00e2y \u00e1p d\u1ee5ng nh\u01b0 nhau cho b\u1ea5t k\u1ef3 b\u1ea3n ph\u00e2n ph\u1ed1i n\u00e0o.<\/p>\n<p>C\u00e1c b\u01b0\u1edbc c\u00e0i \u0111\u1eb7t n\u00e0y s\u1ebd:<\/p>\n<ul>\n<li>Mua ch\u1ee9ng ch\u1ec9 TLS \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o m\u1ecdi giao ti\u1ebfp gi\u1eefa Vault v\u00e0 m\u00e1y kh\u00e1ch \u0111\u1ec1u \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a.<\/li>\n<li>C\u1ea5u h\u00ecnh Vault \u0111\u1ec3 l\u01b0u tr\u1eef h\u1ec7 th\u1ed1ng t\u1eadp tin c\u1ee5c b\u1ed9.<\/li>\n<li>C\u00e0i \u0111\u1eb7t&nbsp;<code>vault<\/code>t\u1ec7p nh\u1ecb ph\u00e2n v\u00e0 thi\u1ebft l\u1eadp h\u1ec7 \u0111i\u1ec1u h\u00e0nh \u0111\u1ec3 v\u1eadn h\u00e0nh Vault nh\u01b0 m\u1ed9t d\u1ecbch v\u1ee5.<\/li>\n<\/ul>\n<p class=\"has-background\" style=\"background-color:#74f78c33\">Ghi ch\u00fa: C\u1ea5u h\u00ecnh \u0111\u01b0\u1ee3c n\u00eau trong h\u01b0\u1edbng d\u1eabn n\u00e0y ph\u00f9 h\u1ee3p v\u1edbi c\u00e1c tri\u1ec3n khai nh\u1ecf. Trong c\u00e1c t\u00ecnh hu\u1ed1ng y\u00eau c\u1ea7u c\u00e1c d\u1ecbch v\u1ee5 c\u00f3 kh\u1ea3 n\u0103ng s\u1eb5n s\u00e0ng cao ho\u1eb7c ch\u1ecbu l\u1ed7i, h\u00e3y c\u00e2n nh\u1eafc ch\u1ea1y nhi\u1ec1u h\u01a1n m\u1ed9t phi\u00ean b\u1ea3n Vault v\u1edbi m\u1ed9t backend l\u01b0u tr\u1eef c\u00f3 kh\u1ea3 n\u0103ng s\u1eb5n s\u00e0ng cao nh\u01b0&nbsp;<a href=\"https:\/\/www.vaultproject.io\/docs\/configuration\/storage\/consul.html\" target=\"_blank\" rel=\"noreferrer noopener\">Consul<\/a>&nbsp;.<\/p>\n<h3 id=\"before-you-begin\">Tr\u01b0\u1edbc khi b\u1ea1n b\u1eaft \u0111\u1ea7u<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#before-you-begin\"><\/a><\/h3>\n<ol>\n<li>N\u1ebfu b\u1ea1n ch\u01b0a th\u1ef1c hi\u1ec7n, h\u00e3y t\u1ea1o m\u1ed9t t\u00e0i kho\u1ea3n Linode v\u00e0 Compute Instance. Xem h\u01b0\u1edbng d\u1eabn&nbsp;<a href=\"https:\/\/www.linode.com\/docs\/products\/platform\/get-started\/\">B\u1eaft \u0111\u1ea7u v\u1edbi Linode<\/a>&nbsp;v\u00e0&nbsp;<a href=\"https:\/\/www.linode.com\/docs\/products\/compute\/compute-instances\/guides\/create\/\">T\u1ea1o Compute Instance<\/a>&nbsp;c\u1ee7a ch\u00fang t\u00f4i .<\/li>\n<li>L\u00e0m theo h\u01b0\u1edbng d\u1eabn&nbsp;<a href=\"https:\/\/www.linode.com\/docs\/products\/compute\/compute-instances\/guides\/set-up-and-secure\/\">Thi\u1ebft l\u1eadp v\u00e0 B\u1ea3o m\u1eadt Phi\u00ean b\u1ea3n Compute<\/a>&nbsp;c\u1ee7a ch\u00fang t\u00f4i \u0111\u1ec3 c\u1eadp nh\u1eadt h\u1ec7 th\u1ed1ng c\u1ee7a b\u1ea1n. B\u1ea1n c\u0169ng c\u00f3 th\u1ec3 mu\u1ed1n \u0111\u1eb7t m\u00fai gi\u1edd, c\u1ea5u h\u00ecnh t\u00ean m\u00e1y ch\u1ee7, t\u1ea1o t\u00e0i kho\u1ea3n ng\u01b0\u1eddi d\u00f9ng gi\u1edbi h\u1ea1n v\u00e0 t\u0103ng c\u01b0\u1eddng quy\u1ec1n truy c\u1eadp SSH.Ghi ch\u00faVi\u1ec7c thi\u1ebft l\u1eadp t\u00ean m\u00e1y ch\u1ee7 \u0111\u1ea7y \u0111\u1ee7 ch\u00ednh x\u00e1c&nbsp;<code>\/etc\/hosts<\/code>l\u00e0 r\u1ea5t quan tr\u1ecdng trong h\u01b0\u1edbng d\u1eabn n\u00e0y \u0111\u1ec3 ch\u1ea5m d\u1ee9t TLS tr\u00ean Vault \u0111\u00fang c\u00e1ch. T\u00ean mi\u1ec1n \u0111\u1ee7 \u0111i\u1ec1u ki\u1ec7n v\u00e0 t\u00ean m\u00e1y ch\u1ee7 ng\u1eafn c\u1ee7a Linode c\u1ee7a b\u1ea1n ph\u1ea3i c\u00f3 trong&nbsp;<code>\/etc\/hosts<\/code>t\u1ec7p tr\u01b0\u1edbc khi ti\u1ebfp t\u1ee5c.<\/li>\n<li>Th\u1ef1c hi\u1ec7n theo&nbsp;<a href=\"https:\/\/www.linode.com\/docs\/guides\/configure-firewall-with-ufw\/\">H\u01b0\u1edbng d\u1eabn UFW<\/a>&nbsp;c\u1ee7a ch\u00fang t\u00f4i \u0111\u1ec3 c\u00e0i \u0111\u1eb7t v\u00e0 c\u1ea5u h\u00ecnh t\u01b0\u1eddng l\u1eeda tr\u00ean h\u1ec7 th\u1ed1ng ch\u1ea1y Ubuntu ho\u1eb7c Debian c\u1ee7a b\u1ea1n ho\u1eb7c&nbsp;<a href=\"https:\/\/www.linode.com\/docs\/guides\/introduction-to-firewalld-on-centos\/\">H\u01b0\u1edbng d\u1eabn FirewallD c\u1ee7a ch\u00fang t\u00f4i cho h\u1ec7 th\u1ed1ng ch\u1ea1y rpm ho\u1eb7c CentOS. H\u00e3y c\u00e2n nh\u1eafc xem l\u1ea1i c\u00e1c khuy\u1ebfn ngh\u1ecb&nbsp;<\/a><a href=\"https:\/\/www.vaultproject.io\/guides\/operations\/production\" target=\"_blank\" rel=\"noreferrer noopener\">v\u1ec1 Production Hardening<\/a>&nbsp;c\u1ee7a Vault&nbsp;n\u1ebfu \u0111i\u1ec1u n\u00e0y s\u1ebd \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong m\u00f4i tr\u01b0\u1eddng s\u1ea3n xu\u1ea5t.<\/li>\n<\/ol>\n<p class=\"has-background\" style=\"background-color:#74f78c33\">Ghi ch\u00fa: Khi c\u1ea5u h\u00ecnh t\u01b0\u1eddng l\u1eeda, h\u00e3y nh\u1edb r\u1eb1ng Vault l\u1eafng nghe tr\u00ean c\u1ed5ng 8200 theo m\u1eb7c \u0111\u1ecbnh v\u00e0 Let&#8217;s Encrypt s\u1eed d\u1ee5ng c\u1ed5ng 80 (HTTP) v\u00e0 443 (HTTPS).<\/p>\n<h3 id=\"acquire-a-tls-certificate\">Nh\u1eadn ch\u1ee9ng ch\u1ec9 TLS<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#acquire-a-tls-certificate\"><\/a><\/h3>\n<p>1.Th\u1ef1c hi\u1ec7n theo c\u00e1c b\u01b0\u1edbc trong h\u01b0\u1edbng d\u1eabn&nbsp;<a href=\"https:\/\/www.linode.com\/docs\/guides\/secure-http-traffic-certbot\/\">B\u1ea3o m\u1eadt l\u01b0u l\u01b0\u1ee3ng HTTP v\u1edbi Certbot<\/a>&nbsp;c\u1ee7a ch\u00fang t\u00f4i \u0111\u1ec3 c\u00f3 \u0111\u01b0\u1ee3c ch\u1ee9ng ch\u1ec9 TLS.<\/p>\n<p>2.Th\u00eam nh\u00f3m h\u1ec7 th\u1ed1ng \u0111\u1ec3 c\u1ea5p quy\u1ec1n truy c\u1eadp \u0111\u1ecdc h\u1ea1n ch\u1ebf v\u00e0o c\u00e1c t\u1ec7p TLS do Certbot t\u1ea1o ra.<\/p>\n<pre class=\"wp-block-code\"><code>sudo groupadd tls\n<\/code><\/pre>\n<p>3.Thay \u0111\u1ed5i quy\u1ec1n s\u1edf h\u1eefu nh\u00f3m c\u1ee7a c\u00e1c t\u1ec7p ch\u1ee9ng ch\u1ec9 trong th\u01b0 m\u1ee5c Let&#8217;s Encrypt th\u00e0nh&nbsp;<code>tls<\/code>.<\/p>\n<pre class=\"wp-block-code\"><code>sudo chgrp -R tls \/etc\/letsencrypt\/{archive,live}\n<\/code><\/pre>\n<p>4.C\u1ea5p cho c\u00e1c th\u00e0nh vi\u00ean trong&nbsp;<code>tls<\/code>nh\u00f3m quy\u1ec1n \u0111\u1ecdc c\u00e1c th\u01b0 m\u1ee5c v\u00e0 t\u1ec7p c\u1ea7n thi\u1ebft.<\/p>\n<pre class=\"wp-block-code\"><code>sudo chmod g+rx \/etc\/letsencrypt\/{archive,live}\nsudo find \/etc\/letsencrypt\/archive -name 'privkey*' -exec chmod g+r {} ';'<\/code><\/pre>\n<h3 id=\"download-vault-files\">T\u1ea3i xu\u1ed1ng c\u00e1c t\u1eadp tin Vault<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#download-vault-files\"><\/a><\/h3>\n<p>1.T\u1ea3i xu\u1ed1ng phi\u00ean b\u1ea3n nh\u1ecb ph\u00e2n ph\u00e1t h\u00e0nh cho Vault.<\/p>\n<pre class=\"wp-block-code\"><code>wget https:\/\/releases.hashicorp.com\/vault\/1.1.0\/vault_1.1.0_linux_amd64.zip\n<\/code><\/pre>\n<p>2.T\u1ea3i xu\u1ed1ng t\u1ec7p ki\u1ec3m tra \u0111\u1ec3 x\u00e1c minh r\u1eb1ng t\u1ec7p zip kh\u00f4ng b\u1ecb h\u1ecfng.<\/p>\n<pre class=\"wp-block-code\"><code>wget https:\/\/releases.hashicorp.com\/vault\/1.1.0\/vault_1.1.0_SHA256SUMS<\/code><\/pre>\n<p>3.T\u1ea3i xu\u1ed1ng t\u1ec7p ch\u1eef k\u00fd t\u1ed5ng ki\u1ec3m tra \u0111\u1ec3 x\u00e1c minh r\u1eb1ng t\u1ec7p t\u1ed5ng ki\u1ec3m tra kh\u00f4ng b\u1ecb gi\u1ea3 m\u1ea1o.<\/p>\n<pre class=\"wp-block-code\"><code>wget https:\/\/releases.hashicorp.com\/vault\/1.1.0\/vault_1.1.0_SHA256SUMS.sig<\/code><\/pre>\n<h3 id=\"verify-the-downloads\">X\u00e1c minh T\u1ea3i xu\u1ed1ng<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#verify-the-downloads\"><\/a><\/h3>\n<p>1.Nh\u1eadp kh\u00f3a GPG c\u1ee7a HashiCorp Security (\u0111\u01b0\u1ee3c li\u1ec7t k\u00ea tr\u00ean trang&nbsp;<a href=\"https:\/\/www.hashicorp.com\/security.html\" target=\"_blank\" rel=\"noreferrer noopener\">HashiCorp Security<\/a>&nbsp;trong m\u1ee5c&nbsp;<em>Truy\u1ec1n th\u00f4ng an to\u00e0n<\/em>&nbsp;):<\/p>\n<pre class=\"wp-block-code\"><code>gpg --recv-keys 51852D87348FFC4C<\/code><\/pre>\n<p>\u0110\u1ea7u ra s\u1ebd hi\u1ec3n th\u1ecb kh\u00f3a \u0111\u00e3 \u0111\u01b0\u1ee3c nh\u1eadp:<\/p>\n<pre class=\"wp-block-code\"><code>gpg: \/home\/user\/.gnupg\/trustdb.gpg: trustdb created\ngpg: key 51852D87348FFC4C: public key \"HashiCorp Security &lt;security@hashicorp.com&gt;\" imported\ngpg: no ultimately trusted keys found\ngpg: Total number processed: 1\ngpg:               imported: 1<\/code><\/pre>\n<p class=\"has-background\" style=\"background-color:#74f78c33\">Ghi ch\u00fa: N\u1ebfu x\u1ea3y ra l\u1ed7i v\u1edbi th\u00f4ng b\u00e1o l\u1ed7i&nbsp;<code>keyserver receive failed: Syntax error in URI<\/code>, ch\u1ec9 c\u1ea7n th\u1eed ch\u1ea1y l\u1ea1i&nbsp;<code>gpg<\/code>l\u1ec7nh.<\/p>\n<p class=\"has-background\" style=\"background-color:#74f78c33\">Ghi ch\u00fa: N\u1ebfu b\u1ea1n nh\u1eadn \u0111\u01b0\u1ee3c l\u1ed7i cho bi\u1ebft&nbsp;<code>dirmngr<\/code>ph\u1ea7n m\u1ec1m b\u1ecb thi\u1ebfu ho\u1eb7c kh\u00f4ng th\u1ec3 truy c\u1eadp, h\u00e3y c\u00e0i \u0111\u1eb7t&nbsp;<code>dirmngr<\/code>b\u1eb1ng tr\u00ecnh qu\u1ea3n l\u00fd g\u00f3i v\u00e0 ch\u1ea1y l\u1ea1i l\u1ec7nh GPG.<\/p>\n<p>2.X\u00e1c minh ch\u1eef k\u00fd GPG c\u1ee7a t\u1ec7p t\u1ed5ng ki\u1ec3m tra:<\/p>\n<pre class=\"wp-block-code\"><code>gpg --verify vault*.sig vault*SHA256SUMS\n<\/code><\/pre>\n<p>\u0110\u1ea7u ra s\u1ebd ch\u1ee9a&nbsp;<code>Good signature from \"HashiCorp Security &lt;security@hashicorp.com&gt;\"<\/code>th\u00f4ng b\u00e1o x\u00e1c nh\u1eadn:<\/p>\n<pre class=\"wp-block-code\"><code>gpg: Signature made Mon 18 Mar 2019 01:44:51 PM MDT\ngpg:                using RSA key 91A6E7F85D05C65630BEF18951852D87348FFC4C\ngpg: Good signature from \"HashiCorp Security &amp;lt;security@hashicorp.com&amp;gt;\" &#91;unknown]\ngpg: WARNING: This key is not certified with a trusted signature!\ngpg:          There is no indication that the signature belongs to the owner.\nPrimary key fingerprint: 91A6 E7F8 5D05 C656 30BE  F189 5185 2D87 348F FC4C<\/code><\/pre>\n<p>3.X\u00e1c minh r\u1eb1ng d\u1ea5u v\u00e2n tay \u0111\u1ea7u ra tr\u00f9ng kh\u1edbp v\u1edbi d\u1ea5u v\u00e2n tay \u0111\u01b0\u1ee3c li\u1ec7t k\u00ea trong ph\u1ea7n&nbsp;<em>Truy\u1ec1n th\u00f4ng b\u1ea3o m\u1eadt<\/em>&nbsp;c\u1ee7a trang&nbsp;<a href=\"https:\/\/www.hashicorp.com\/security.html\" target=\"_blank\" rel=\"noreferrer noopener\">B\u1ea3o m\u1eadt HashiCorp<\/a>&nbsp;.<\/p>\n<p>4.X\u00e1c minh&nbsp;<code>.zip<\/code>t\u1ed5ng ki\u1ec3m tra c\u1ee7a kho l\u01b0u tr\u1eef:<\/p>\n<pre class=\"wp-block-code\"><code>sha256sum -c vault*SHA256SUMS 2&gt;&amp;1 | grep OK\n<\/code><\/pre>\n<p>\u0110\u1ea7u ra s\u1ebd hi\u1ec3n th\u1ecb t\u00ean t\u1ec7p nh\u01b0 \u0111\u01b0\u1ee3c ch\u1ec9 \u0111\u1ecbnh trong&nbsp;<code>vault*SHA256SUMS<\/code>t\u1ec7p:<\/p>\n<pre class=\"wp-block-code\"><code>vault_1.1.0_linux_amd64.zip: OK\n<\/code><\/pre>\n<h3 id=\"install-the-vault-executable\">C\u00e0i \u0111\u1eb7t Vault Executable<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#install-the-vault-executable\"><\/a><\/h3>\n<p>1.Gi\u1ea3i n\u00e9n t\u1ec7p th\u1ef1c thi Vault v\u00e0o th\u01b0 m\u1ee5c c\u1ee5c b\u1ed9.<\/p>\n<pre class=\"wp-block-code\"><code>unzip vault_*_linux_amd64.zip<\/code><\/pre>\n<p class=\"has-background\" style=\"background-color:#74f78c33\">Ghi ch\u00fa: N\u1ebfu b\u1ea1n nh\u1eadn \u0111\u01b0\u1ee3c l\u1ed7i cho bi\u1ebft g\u00f3i&nbsp;<code>unzip<\/code>n\u00e0y b\u1ecb thi\u1ebfu trong h\u1ec7 th\u1ed1ng, h\u00e3y c\u00e0i \u0111\u1eb7t&nbsp;<code>unzip<\/code>g\u00f3i v\u00e0 th\u1eed l\u1ea1i.<\/p>\n<p>2.Di chuy\u1ec3n&nbsp;<code>vault<\/code>t\u1ec7p th\u1ef1c thi v\u00e0o m\u1ed9t v\u1ecb tr\u00ed tr\u00ean to\u00e0n h\u1ec7 th\u1ed1ng.<\/p>\n<pre class=\"wp-block-code\"><code>sudo mv vault \/usr\/local\/bin\n<\/code><\/pre>\n<p>3.\u0110\u1eb7t l\u1ea1i quy\u1ec1n s\u1edf h\u1eefu v\u00e0 quy\u1ec1n tr\u00ean t\u1ec7p th\u1ef1c thi.<\/p>\n<pre class=\"wp-block-code\"><code>sudo chown root:root \/usr\/local\/bin\/vault\nsudo chmod 755 \/usr\/local\/bin\/vault<\/code><\/pre>\n<p>4.Thi\u1ebft l\u1eadp kh\u1ea3 n\u0103ng th\u1ef1c thi tr\u00ean&nbsp;<code>vault<\/code>t\u1ec7p nh\u1ecb ph\u00e2n. \u0110i\u1ec1u n\u00e0y s\u1ebd c\u1ea5p cho Vault quy\u1ec1n kh\u00f3a b\u1ed9 nh\u1edb, \u0111\u00e2y l\u00e0 c\u00e1ch th\u1ef1c h\u00e0nh t\u1ed1t nh\u1ea5t \u0111\u1ec3 ch\u1ea1y Vault m\u1ed9t c\u00e1ch an to\u00e0n (xem&nbsp;<a href=\"https:\/\/www.vaultproject.io\/docs\/configuration\/#disable_mlock\" target=\"_blank\" rel=\"noreferrer noopener\">t\u00e0i li\u1ec7u Vault<\/a>&nbsp;\u0111\u1ec3 bi\u1ebft th\u00eam th\u00f4ng tin).<\/p>\n<pre class=\"wp-block-code\"><code>sudo setcap cap_ipc_lock=+ep \/usr\/local\/bin\/vault\n<\/code><\/pre>\n<p>5.X\u00e1c minh r\u1eb1ng&nbsp;<code>vault<\/code>hi\u1ec7n t\u1ea1i n\u00f3 \u0111\u00e3 c\u00f3 s\u1eb5n trong shell c\u1ee5c b\u1ed9.<\/p>\n<pre class=\"wp-block-code\"><code>vault --version\n<\/code><\/pre>\n<p>\u0110\u1ea7u ra c\u1ee7a l\u1ec7nh n\u00e0y s\u1ebd tr\u1ea3 v\u1ec1 k\u1ebft qu\u1ea3 nh\u01b0 sau.<\/p>\n<pre class=\"wp-block-code\"><code>Vault v1.1.0 ('36aa8c8dd1936e10ebd7a4c1d412ae0e6f7900bd')<\/code><\/pre>\n<h3 id=\"system-vault-configuration\">C\u1ea5u h\u00ecnh System Vault<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#system-vault-configuration\"><\/a><\/h3>\n<p>1.T\u1ea1o ng\u01b0\u1eddi d\u00f9ng h\u1ec7 th\u1ed1ng&nbsp;<code>vault<\/code>s\u1ebd ch\u1ea1y khi d\u1ecbch v\u1ee5 \u0111\u01b0\u1ee3c kh\u1edfi \u0111\u1ed9ng.<\/p>\n<pre class=\"wp-block-code\"><code>sudo useradd --system -d \/etc\/vault.d -s \/bin\/nologin vault\n<\/code><\/pre>\n<p>2.Th\u00eam&nbsp;<code>vault<\/code>ng\u01b0\u1eddi d\u00f9ng v\u00e0o&nbsp;<code>tls<\/code>nh\u00f3m \u0111\u00e3 t\u1ea1o tr\u01b0\u1edbc \u0111\u00f3, \u0111i\u1ec1u n\u00e0y s\u1ebd c\u1ea5p cho ng\u01b0\u1eddi d\u00f9ng kh\u1ea3 n\u0103ng \u0111\u1ecdc ch\u1ee9ng ch\u1ec9 Let&#8217;s Encrypt.<\/p>\n<pre class=\"wp-block-code\"><code>sudo gpasswd -a vault tls<\/code><\/pre>\n<p>3.T\u1ea1o th\u01b0 m\u1ee5c d\u1eef li\u1ec7u v\u00e0 th\u01b0 m\u1ee5c c\u1ea5u h\u00ecnh&nbsp;<code>vault<\/code>v\u1edbi quy\u1ec1n h\u1ea1n h\u1ea1n ch\u1ebf.<\/p>\n<pre class=\"wp-block-code\"><code>sudo install -o vault -g vault -m 750 -d \/var\/lib\/vault\nsudo install -o vault -g vault -m 750 -d \/etc\/vault.d<\/code><\/pre>\n<p>4.T\u1ea1o m\u1ed9t&nbsp;<code>service<\/code>t\u1ec7p systemd \u0111\u1ec3 ki\u1ec3m so\u00e1t c\u00e1ch ch\u1ea1y&nbsp;<code>vault<\/code>li\u00ean t\u1ee5c nh\u01b0 m\u1ed9t daemon h\u1ec7 th\u1ed1ng.<\/p>\n<pre class=\"wp-block-code\"><code>&#91;Unit]\nDescription=\"a tool for managing secrets\"\nDocumentation=https:\/\/www.vaultproject.io\/docs\/\nRequires=network-online.target\nAfter=network-online.target\nConditionFileNotEmpty=\/etc\/vault.d\/vault.hcl\n\n&#91;Service]\nUser=vault\nGroup=vault\nProtectSystem=full\nProtectHome=read-only\nPrivateTmp=yes\nPrivateDevices=yes\nSecureBits=keep-caps\nAmbientCapabilities=CAP_IPC_LOCK\nCapabilities=CAP_IPC_LOCK+ep\nCapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK\nNoNewPrivileges=yes\nExecStart=\/usr\/local\/bin\/vault server -config=\/etc\/vault.d\/vault.hcl\nExecReload=\/bin\/kill --signal HUP $MAINPID\nKillMode=process\nKillSignal=SIGINT\nRestart=on-failure\nRestartSec=5\nTimeoutStopSec=30\nStartLimitIntervalSec=60\nStartLimitBurst=3\nLimitNOFILE=65536\n\n&#91;Install]\nWantedBy=multi-user.target<\/code><\/pre>\n<ol>\n<li>C\u00e1c t\u00f9y ch\u1ecdn d\u1ecbch v\u1ee5 systemd n\u00e0y x\u00e1c \u0111\u1ecbnh m\u1ed9t s\u1ed1 thi\u1ebft l\u1eadp quan tr\u1ecdng \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o Vault ch\u1ea1y an to\u00e0n v\u00e0 \u0111\u00e1ng tin c\u1eady. Xem l\u1ea1i&nbsp;<a href=\"https:\/\/learn.hashicorp.com\/vault\/operations\/ops-deployment-guide#step-3-configure-systemd\" target=\"_blank\" rel=\"noreferrer noopener\">t\u00e0i li\u1ec7u Vault<\/a>&nbsp;\u0111\u1ec3 bi\u1ebft gi\u1ea3i th\u00edch \u0111\u1ea7y \u0111\u1ee7 v\u1ec1 nh\u1eefng g\u00ec c\u00e1c t\u00f9y ch\u1ecdn n\u00e0y \u0111\u1ea1t \u0111\u01b0\u1ee3c.<\/li>\n<\/ol>\n<h2 id=\"configuration\">C\u1ea5u h\u00ecnh<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#configuration\"><\/a><\/h2>\n<h3 id=\"configure-vault\">C\u1ea5u h\u00ecnh Vault<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#configure-vault\"><\/a><\/h3>\n<p>1.T\u1ea1o t\u1ec7p c\u1ea5u h\u00ecnh cho Vault v\u1edbi n\u1ed9i dung sau, thay th\u1ebf&nbsp;<code>example.com<\/code>b\u1eb1ng t\u00ean mi\u1ec1n \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong ch\u1ee9ng ch\u1ec9 Let&#8217;s Encrypt c\u1ee7a b\u1ea1n.<\/p>\n<pre class=\"wp-block-code\"><code>listener \"tcp\" {\n  address = \"0.0.0.0:8200\"\n  tls_cert_file = \"\/etc\/letsencrypt\/live\/example.com\/fullchain.pem\"\n  tls_key_file = \"\/etc\/letsencrypt\/live\/example.com\/privkey.pem\"\n}\n\nstorage \"file\" {\n  path = \"\/var\/lib\/vault\"\n}<\/code><\/pre>\n<ol>\n<li>C\u1ea5u h\u00ecnh n\u00e0y s\u1ebd s\u1eed d\u1ee5ng ch\u1ee9ng ch\u1ec9 Let&#8217;s Encrypt \u0111\u01b0\u1ee3c t\u1ea1o trong c\u00e1c b\u01b0\u1edbc tr\u01b0\u1edbc \u0111\u1ec3 ch\u1ea5m d\u1ee9t TLS cho d\u1ecbch v\u1ee5 Vault. \u0110i\u1ec1u n\u00e0y \u0111\u1ea3m b\u1ea3o r\u1eb1ng c\u00e1c b\u00ed m\u1eadt s\u1ebd kh\u00f4ng bao gi\u1edd \u0111\u01b0\u1ee3c truy\u1ec1n d\u01b0\u1edbi d\u1ea1ng v\u0103n b\u1ea3n thu\u1ea7n t\u00fay. L\u01b0u tr\u1eef th\u1ef1c t\u1ebf cho Vault s\u1ebd n\u1eb1m tr\u00ean h\u1ec7 th\u1ed1ng t\u1ec7p c\u1ee5c b\u1ed9 t\u1ea1i&nbsp;<code>\/var\/lib\/vault<\/code>.<\/li>\n<\/ol>\n<h3 id=\"run-the-vault-service\">Ch\u1ea1y d\u1ecbch v\u1ee5 Vault<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#run-the-vault-service\"><\/a><\/h3>\n<p>1.Vault hi\u1ec7n \u0111\u00e3 s\u1eb5n s\u00e0ng \u0111\u1ec3 ch\u1ea1y. B\u1eaft \u0111\u1ea7u d\u1ecbch v\u1ee5 b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng&nbsp;<code>systemctl<\/code>.<\/p>\n<pre class=\"wp-block-code\"><code>sudo systemctl start vault<\/code><\/pre>\n<p>2.N\u1ebfu mu\u1ed1n, h\u00e3y b\u1eadt d\u1ecbch v\u1ee5 n\u00e0y \u0111\u1ec3 Vault kh\u1edfi \u0111\u1ed9ng c\u00f9ng l\u00fac v\u1edbi th\u1eddi \u0111i\u1ec3m kh\u1edfi \u0111\u1ed9ng h\u1ec7 th\u1ed1ng.<\/p>\n<pre class=\"wp-block-code\"><code>sudo systemctl enable vault<\/code><\/pre>\n<p>3.X\u00e1c nh\u1eadn Vault \u0111ang ho\u1ea1t \u0111\u1ed9ng b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng t\u1ec7p&nbsp;<code>vault<\/code>th\u1ef1c thi \u0111\u1ec3 ki\u1ec3m tra tr\u1ea1ng th\u00e1i c\u1ee7a d\u1ecbch v\u1ee5. \u0110\u1eb7t&nbsp;<code>VAULT_ADDR<\/code>bi\u1ebfn m\u00f4i tr\u01b0\u1eddng th\u00e0nh&nbsp;<code>https:\/\/example.com:8200<\/code>, thay th\u1ebf&nbsp;<code>example.com<\/code>b\u1eb1ng t\u00ean mi\u1ec1n c\u1ee7a ri\u00eang b\u1ea1n:<\/p>\n<pre class=\"wp-block-code\"><code>export VAULT_ADDR=https:\/\/example.com:8200\n<\/code><\/pre>\n<p>4.<code>vault<\/code>l\u1ec7nh b\u00e2y gi\u1edd s\u1ebd \u0111\u01b0\u1ee3c g\u1eedi \u0111\u1ebfn phi\u00ean b\u1ea3n Vault c\u1ee5c b\u1ed9 c\u1ee7a b\u1ea1n. \u0110\u1ec3 x\u00e1c nh\u1eadn \u0111i\u1ec1u n\u00e0y, h\u00e3y ch\u1ea1y&nbsp;<code>vault status<\/code>l\u1ec7nh:<\/p>\n<pre class=\"wp-block-code\"><code>vault status\n<\/code><\/pre>\n<p>L\u1ec7nh n\u00e0y s\u1ebd tr\u1ea3 v\u1ec1 k\u1ebft qu\u1ea3 t\u01b0\u01a1ng t\u1ef1 nh\u01b0 sau:<\/p>\n<pre class=\"wp-block-code\"><code>Key                Value\n---                -----\nSeal Type          shamir\nInitialized        false\nSealed             true\nTotal Shares       0\nThreshold          0\nUnseal Progress    0\/0\nUnseal Nonce       n\/a\nVersion            n\/a\nHA Enabled         false<\/code><\/pre>\n<p>Ph\u1ea7n c\u00f2n l\u1ea1i c\u1ee7a h\u01b0\u1edbng d\u1eabn n\u00e0y gi\u1ea3 \u0111\u1ecbnh r\u1eb1ng bi\u1ebfn m\u00f4i tr\u01b0\u1eddng&nbsp;<code>VAULT_ADDR<\/code>\u0111\u01b0\u1ee3c \u0111\u1eb7t th\u00e0nh gi\u00e1 tr\u1ecb n\u00e0y \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o c\u00e1c y\u00eau c\u1ea7u \u0111\u01b0\u1ee3c g\u1eedi \u0111\u1ebfn \u0111\u00fang m\u00e1y ch\u1ee7 Vault.<\/p>\n<h3 id=\"initializing-vault\">Kh\u1edfi t\u1ea1o Vault<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#initializing-vault\"><\/a><\/h3>\n<p>\u1ede giai \u0111o\u1ea1n n\u00e0y, Vault \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t v\u00e0 ch\u1ea1y, nh\u01b0ng ch\u01b0a \u0111\u01b0\u1ee3c&nbsp;<em>kh\u1edfi t\u1ea1o<\/em>&nbsp;. C\u00e1c b\u01b0\u1edbc sau s\u1ebd kh\u1edfi t\u1ea1o backend Vault, thi\u1ebft l\u1eadp kh\u00f3a m\u1edf kh\u00f3a v\u00e0 tr\u1ea3 v\u1ec1 m\u00e3 th\u00f4ng b\u00e1o g\u1ed1c ban \u0111\u1ea7u. Kh\u1edfi t\u1ea1o ch\u1ec9 di\u1ec5n ra m\u1ed9t l\u1ea7n cho m\u1ed9t l\u1ea7n tri\u1ec3n khai Vault.<\/p>\n<p>C\u00f3 hai t\u00f9y ch\u1ecdn c\u00f3 th\u1ec3 c\u1ea5u h\u00ecnh \u0111\u1ec3 l\u1ef1a ch\u1ecdn khi th\u1ef1c hi\u1ec7n b\u01b0\u1edbc kh\u1edfi t\u1ea1o. Gi\u00e1 tr\u1ecb \u0111\u1ea7u ti\u00ean l\u00e0 s\u1ed1 l\u01b0\u1ee3ng chia s\u1ebb kh\u00f3a, \u0111i\u1ec1u khi\u1ec3n t\u1ed5ng s\u1ed1 kh\u00f3a m\u1edf ni\u00eam phong m\u00e0 Vault s\u1ebd t\u1ea1o ra. Gi\u00e1 tr\u1ecb th\u1ee9 hai l\u00e0 ng\u01b0\u1ee1ng kh\u00f3a, \u0111i\u1ec1u khi\u1ec3n s\u1ed1 l\u01b0\u1ee3ng chia s\u1ebb kh\u00f3a m\u1edf ni\u00eam phong n\u00e0y \u0111\u01b0\u1ee3c y\u00eau c\u1ea7u tr\u01b0\u1edbc khi Vault t\u1ef1 m\u1edf ni\u00eam phong th\u00e0nh c\u00f4ng. Vi\u1ec7c m\u1edf ni\u00eam phong \u0111\u01b0\u1ee3c y\u00eau c\u1ea7u b\u1ea5t c\u1ee9 khi n\u00e0o Vault \u0111\u01b0\u1ee3c kh\u1edfi \u0111\u1ed9ng l\u1ea1i ho\u1eb7c \u0111\u01b0a tr\u1ef1c tuy\u1ebfn theo c\u00e1ch kh\u00e1c sau khi \u1edf tr\u1ea1ng th\u00e1i ngo\u1ea1i tuy\u1ebfn tr\u01b0\u1edbc \u0111\u00f3.<\/p>\n<p>\u0110\u1ec3 minh h\u1ecda cho kh\u00e1i ni\u1ec7m n\u00e0y, h\u00e3y xem x\u00e9t m\u1ed9t m\u00e1y ch\u1ee7 an to\u00e0n trong m\u1ed9t trung t\u00e2m d\u1eef li\u1ec7u. V\u00ec c\u01a1 s\u1edf d\u1eef li\u1ec7u Vault ch\u1ec9 \u0111\u01b0\u1ee3c gi\u1ea3i m\u00e3 trong b\u1ed9 nh\u1edb, vi\u1ec7c \u0111\u00e1nh c\u1eafp ho\u1eb7c \u0111\u01b0a m\u00e1y ch\u1ee7 ngo\u1ea1i tuy\u1ebfn v\u00ec b\u1ea5t k\u1ef3 l\u00fd do n\u00e0o s\u1ebd \u0111\u1ec3 l\u1ea1i b\u1ea3n sao duy nh\u1ea5t c\u1ee7a c\u01a1 s\u1edf d\u1eef li\u1ec7u Vault tr\u00ean h\u1ec7 th\u1ed1ng t\u1ec7p \u1edf d\u1ea1ng \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a ho\u1eb7c &#8220;\u0111\u01b0\u1ee3c ni\u00eam phong&#8221;.<\/p>\n<p>Khi kh\u1edfi \u0111\u1ed9ng l\u1ea1i m\u00e1y ch\u1ee7, chia s\u1ebb kh\u00f3a l\u00e0 3 v\u00e0 ng\u01b0\u1ee1ng kh\u00f3a l\u00e0 2 ngh\u0129a l\u00e0 c\u00f3 3 kh\u00f3a t\u1ed3n t\u1ea1i, nh\u01b0ng \u00edt nh\u1ea5t ph\u1ea3i cung c\u1ea5p 2 kh\u00f3a khi kh\u1edfi \u0111\u1ed9ng \u0111\u1ec3 Vault c\u00f3 th\u1ec3 l\u1ea5y \u0111\u01b0\u1ee3c kh\u00f3a gi\u1ea3i m\u00e3 v\u00e0 t\u1ea3i c\u01a1 s\u1edf d\u1eef li\u1ec7u v\u00e0o b\u1ed9 nh\u1edb \u0111\u1ec3 truy c\u1eadp m\u1ed9t l\u1ea7n n\u1eefa.<\/p>\n<p>S\u1ed1 l\u01b0\u1ee3ng chia s\u1ebb kh\u00f3a \u0111\u1ea3m b\u1ea3o r\u1eb1ng nhi\u1ec1u kh\u00f3a c\u00f3 th\u1ec3 t\u1ed3n t\u1ea1i \u1edf c\u00e1c v\u1ecb tr\u00ed kh\u00e1c nhau cho m\u1ed9t m\u1ee9c \u0111\u1ed9 ch\u1ecbu l\u1ed7i v\u00e0 m\u1ee5c \u0111\u00edch sao l\u01b0u. S\u1ed1 l\u01b0\u1ee3ng ng\u01b0\u1ee1ng kh\u00f3a \u0111\u1ea3m b\u1ea3o r\u1eb1ng vi\u1ec7c x\u00e2m ph\u1ea1m m\u1ed9t kh\u00f3a m\u1edf ni\u00eam phong ri\u00eang l\u1ebb l\u00e0 kh\u00f4ng \u0111\u1ee7 \u0111\u1ec3 gi\u1ea3i m\u00e3 d\u1eef li\u1ec7u Vault.<\/p>\n<p>1.Ch\u1ecdn m\u1ed9t gi\u00e1 tr\u1ecb cho s\u1ed1 l\u01b0\u1ee3ng chia s\u1ebb kh\u00f3a v\u00e0 ng\u01b0\u1ee1ng kh\u00f3a. T\u00ecnh hu\u1ed1ng c\u1ee7a b\u1ea1n c\u00f3 th\u1ec3 kh\u00e1c nhau, nh\u01b0ng v\u00ed d\u1ee5, h\u00e3y xem x\u00e9t m\u1ed9t nh\u00f3m g\u1ed3m ba ng\u01b0\u1eddi ph\u1ee5 tr\u00e1ch v\u1eadn h\u00e0nh Vault. Chia s\u1ebb kh\u00f3a l\u00e0 3 \u0111\u1ea3m b\u1ea3o r\u1eb1ng m\u1ed7i th\u00e0nh vi\u00ean n\u1eafm gi\u1eef m\u1ed9t kh\u00f3a m\u1edf kh\u00f3a. Ng\u01b0\u1ee1ng kh\u00f3a l\u00e0 2 c\u00f3 ngh\u0129a l\u00e0 kh\u00f4ng m\u1ed9t ng\u01b0\u1eddi v\u1eadn h\u00e0nh n\u00e0o c\u00f3 th\u1ec3 l\u00e0m m\u1ea5t kh\u00f3a c\u1ee7a h\u1ecd v\u00e0 x\u00e2m ph\u1ea1m h\u1ec7 th\u1ed1ng ho\u1eb7c \u0111\u00e1nh c\u1eafp c\u01a1 s\u1edf d\u1eef li\u1ec7u Vault m\u00e0 kh\u00f4ng ph\u1ed1i h\u1ee3p v\u1edbi ng\u01b0\u1eddi v\u1eadn h\u00e0nh kh\u00e1c.<\/p>\n<p>2.S\u1eed d\u1ee5ng c\u00e1c gi\u00e1 tr\u1ecb \u0111\u00e3 ch\u1ecdn n\u00e0y, th\u1ef1c hi\u1ec7n l\u1ec7nh kh\u1edfi t\u1ea1o. H\u00e3y chu\u1ea9n b\u1ecb l\u01b0u \u0111\u1ea7u ra \u0111\u01b0\u1ee3c tr\u1ea3 v\u1ec1 t\u1eeb l\u1ec7nh sau, v\u00ec&nbsp;<strong>n\u00f3 ch\u1ec9 c\u00f3 th\u1ec3 xem \u0111\u01b0\u1ee3c m\u1ed9t l\u1ea7n<\/strong>&nbsp;.<\/p>\n<pre class=\"wp-block-code\"><code>vault operator init -key-shares=3 -key-threshold=2\n<\/code><\/pre>\n<p>L\u1ec7nh n\u00e0y s\u1ebd tr\u1ea3 v\u1ec1 k\u1ebft qu\u1ea3 t\u01b0\u01a1ng t\u1ef1 nh\u01b0 sau:<\/p>\n<pre class=\"wp-block-code\"><code>Unseal Key 1: BaR6GUWRY8hIeNyuzAn7FTa82DiIldgvEZhOKhVsl0X5\nUnseal Key 2: jzh7lji1NX9TsNVGycUudSIy\/X4lczJgsCpRfm3m8Q03\nUnseal Key 3: JfdH8LqEyc4B+xLMBX6\/LT9o8G\/6isC2ZFfz+iNMIW\/0\n\nInitial Root Token: s.YijNa8lqSDeho1tJBtY02983\n\nVault initialized with 3 key shares and a key threshold of 2. Please securely\ndistribute the key shares printed above. When the Vault is re-sealed,\nrestarted, or stopped, you must supply at least 2 of these keys to unseal it\nbefore it can start servicing requests.\n\nVault does not store the generated master key. Without at least 2 key to\nreconstruct the master key, Vault will remain permanently sealed!\n\nIt is possible to generate new unseal keys, provided you have a quorum of\nexisting unseal keys shares. See \"vault operator rekey\" for more information.<\/code><\/pre>\n<p>3.Trong k\u1ecbch b\u1ea3n s\u1ea3n xu\u1ea5t, c\u00e1c kh\u00f3a m\u1edf ni\u00eam phong n\u00e0y ph\u1ea3i \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef \u1edf c\u00e1c v\u1ecb tr\u00ed ri\u00eang bi\u1ec7t. V\u00ed d\u1ee5, l\u01b0u tr\u1eef m\u1ed9t kh\u00f3a trong tr\u00ecnh qu\u1ea3n l\u00fd m\u1eadt kh\u1ea9u nh\u01b0 LastPass, m\u00e3 h\u00f3a kh\u00f3a b\u1eb1ng gpg v\u00e0 l\u01b0u tr\u1eef kh\u00f3a kh\u00e1c ngo\u1ea1i tuy\u1ebfn tr\u00ean kh\u00f3a USB. L\u00e0m nh\u01b0 v\u1eady \u0111\u1ea3m b\u1ea3o r\u1eb1ng vi\u1ec7c x\u00e2m ph\u1ea1m m\u1ed9t v\u1ecb tr\u00ed l\u01b0u tr\u1eef l\u00e0 kh\u00f4ng \u0111\u1ee7 \u0111\u1ec3 kh\u00f4i ph\u1ee5c s\u1ed1 l\u01b0\u1ee3ng kh\u00f3a m\u1edf ni\u00eam phong c\u1ea7n thi\u1ebft \u0111\u1ec3 gi\u1ea3i m\u00e3 c\u01a1 s\u1edf d\u1eef li\u1ec7u Vault.<\/p>\n<p>4.T\u01b0\u01a1ng&nbsp;<code>Initial Root Token<\/code>\u0111\u01b0\u01a1ng v\u1edbi t\u00e0i kho\u1ea3n \u201croot\u201d ho\u1eb7c si\u00eau ng\u01b0\u1eddi d\u00f9ng cho Vault API. Ghi l\u1ea1i v\u00e0 b\u1ea3o v\u1ec7 m\u00e3 th\u00f4ng b\u00e1o n\u00e0y theo c\u00e1ch t\u01b0\u01a1ng t\u1ef1. Gi\u1ed1ng nh\u01b0 t\u00e0i&nbsp;<code>root<\/code>kho\u1ea3n tr\u00ean h\u1ec7 th\u1ed1ng Unix, m\u00e3 th\u00f4ng b\u00e1o n\u00e0y n\u00ean \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 t\u1ea1o c\u00e1c t\u00e0i kho\u1ea3n \u00edt \u0111\u1eb7c quy\u1ec1n h\u01a1n \u0111\u1ec3 s\u1eed d\u1ee5ng cho c\u00e1c t\u01b0\u01a1ng t\u00e1c h\u00e0ng ng\u00e0y v\u1edbi Vault v\u00e0 m\u00e3 th\u00f4ng b\u00e1o g\u1ed1c n\u00ean \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng kh\u00f4ng th\u01b0\u1eddng xuy\u00ean do c\u00e1c \u0111\u1eb7c quy\u1ec1n r\u1ed9ng r\u00e3i c\u1ee7a n\u00f3.<\/p>\n<h3 id=\"unseal-vault\">M\u1edf kh\u00f3a k\u00e9t s\u1eaft<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#unseal-vault\"><\/a><\/h3>\n<p>Sau khi kh\u1edfi t\u1ea1o, Vault s\u1ebd \u0111\u01b0\u1ee3c ni\u00eam <\/p>\n<p> m\u1edf ni\u00eam phong sau \u0111\u00e2y ph\u1ea3i \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n b\u1ea5t k\u1ef3 l\u00fac n\u00e0o&nbsp;<code>vault<\/code>d\u1ecbch v\u1ee5 \u0111\u01b0\u1ee3c \u0111\u01b0a xu\u1ed1ng v\u00e0 sau \u0111\u00f3 \u0111\u01b0\u1ee3c \u0111\u01b0a l\u00ean l\u1ea1i, ch\u1eb3ng h\u1ea1n nh\u01b0 khi th\u1ef1c hi\u1ec7n&nbsp;<code>systemctl restart vault<\/code>ho\u1eb7c kh\u1edfi \u0111\u1ed9ng l\u1ea1i m\u00e1y ch\u1ee7.<\/p>\n<p>1.Sau khi&nbsp;<code>VAULT_ADDR<\/code>thi\u1ebft l\u1eadp \u0111\u00fang, h\u00e3y th\u1ef1c hi\u1ec7n l\u1ec7nh m\u1edf kh\u00f3a.<\/p>\n<pre class=\"wp-block-code\"><code>vault operator unseal<\/code><\/pre>\n<p>M\u1ed9t l\u1eddi nh\u1eafc s\u1ebd xu\u1ea5t hi\u1ec7n:<\/p>\n<pre class=\"wp-block-code\"><code>Unseal Key (will be hidden):\n<\/code><\/pre>\n<p>2.D\u00e1n ho\u1eb7c nh\u1eadp m\u1ed9t kh\u00f3a m\u1edf kh\u00f3a v\u00e0 nh\u1ea5n&nbsp;<strong>Enter<\/strong>&nbsp;. L\u1ec7nh s\u1ebd k\u1ebft th\u00fac v\u1edbi \u0111\u1ea7u ra t\u01b0\u01a1ng t\u1ef1 nh\u01b0 sau:<\/p>\n<pre class=\"wp-block-code\"><code>Unseal Key (will be hidden):\nKey                Value\n---                -----\nSeal Type          shamir\nInitialized        true\nSealed             true\nTotal Shares       3\nThreshold          2\nUnseal Progress    1\/2\nUnseal Nonce       0124ce2a-6229-fac1-0e3f-da3e97e00583\nVersion            1.1.0\nHA Enabled         false<\/code><\/pre>\n<p>L\u01b0u \u00fd r\u1eb1ng \u0111\u1ea7u ra cho bi\u1ebft m\u1ed9t trong hai kh\u00f3a m\u1edf kh\u00f3a b\u1eaft bu\u1ed9c \u0111\u00e3 \u0111\u01b0\u1ee3c cung c\u1ea5p.<\/p>\n<p>3.Th\u1ef1c hi\u1ec7n&nbsp;<code>unseal<\/code>l\u1ea1i l\u1ec7nh.<\/p>\n<pre class=\"wp-block-code\"><code>vault operator unseal<\/code><\/pre>\n<p>4.Nh\u1eadp kh\u00f3a m\u1edf kh\u00f3a&nbsp;<em>kh\u00e1c<\/em>&nbsp;khi l\u1eddi nh\u1eafc xu\u1ea5t hi\u1ec7n.<\/p>\n<pre class=\"wp-block-code\"><code>Unseal Key (will be hidden):<\/code><\/pre>\n<p>5.K\u1ebft qu\u1ea3 \u0111\u1ea7u ra s\u1ebd ch\u1ec9 ra r\u1eb1ng Vault hi\u1ec7n \u0111\u00e3 \u0111\u01b0\u1ee3c m\u1edf ni\u00eam phong (ch\u00fa \u00fd&nbsp;<code>Sealed false<\/code>d\u00f2ng n\u00e0y).<\/p>\n<pre class=\"wp-block-code\"><code>Unseal Key (will be hidden):\nKey             Value\n---             -----\nSeal Type       shamir\nInitialized     true\nSealed          false\nTotal Shares    3\nThreshold       2\nVersion         1.1.0\nCluster Name    vault-cluster-a397153e\nCluster ID      a065557e-3ee8-9d26-4d90-b90c8d69fa5d\nHA Enabled      false<\/code><\/pre>\n<p>Vault hi\u1ec7n \u0111\u00e3 ho\u1ea1t \u0111\u1ed9ng.<\/p>\n<h2 id=\"using-vault\">S\u1eed d\u1ee5ng Vault<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#using-vault\"><\/a><\/h2>\n<h3 id=\"token-authentication\">X\u00e1c th\u1ef1c m\u00e3 th\u00f4ng b\u00e1o<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#token-authentication\"><\/a><\/h3>\n<p>Khi t\u01b0\u01a1ng t\u00e1c v\u1edbi Vault qua REST API, Vault x\u00e1c \u0111\u1ecbnh v\u00e0 x\u00e1c th\u1ef1c h\u1ea7u h\u1ebft c\u00e1c y\u00eau c\u1ea7u b\u1eb1ng s\u1ef1 hi\u1ec7n di\u1ec7n c\u1ee7a m\u00e3 th\u00f4ng b\u00e1o. M\u1eb7c d\u00f9 m\u00e3 th\u00f4ng b\u00e1o g\u1ed1c ban \u0111\u1ea7u c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng ngay b\u00e2y gi\u1edd, ph\u1ea7n&nbsp;<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#policies\">Ch\u00ednh s\u00e1ch<\/a>&nbsp;c\u1ee7a h\u01b0\u1edbng d\u1eabn n\u00e0y s\u1ebd gi\u1ea3i th\u00edch c\u00e1ch cung c\u1ea5p c\u00e1c m\u00e3 th\u00f4ng b\u00e1o b\u1ed5 sung.<\/p>\n<p>1.\u0110\u1eb7t bi\u1ebfn&nbsp;<code>VAULT_TOKEN<\/code>m\u00f4i tr\u01b0\u1eddng th\u00e0nh gi\u00e1 tr\u1ecb c\u1ee7a m\u00e3 th\u00f4ng b\u00e1o g\u1ed1c \u0111\u00e3 l\u1ea5y tr\u01b0\u1edbc \u0111\u00f3. M\u00e3 th\u00f4ng b\u00e1o n\u00e0y l\u00e0 c\u01a1 ch\u1ebf x\u00e1c th\u1ef1c m\u00e0 l\u1ec7nh&nbsp;<code>vault<\/code>s\u1ebd d\u1ef1a v\u00e0o \u0111\u1ec3 t\u01b0\u01a1ng t\u00e1c trong t\u01b0\u01a1ng lai v\u1edbi Vault. M\u00e3 th\u00f4ng b\u00e1o g\u1ed1c th\u1ef1c t\u1ebf s\u1ebd kh\u00e1c trong m\u00f4i tr\u01b0\u1eddng c\u1ee7a b\u1ea1n.<\/p>\n<pre class=\"wp-block-code\"><code>export VAULT_TOKEN=s.YijNa8lqSDeho1tJBtY02983<\/code><\/pre>\n<p>2.S\u1eed d\u1ee5ng l\u1ec7nh&nbsp;<code>token lookup<\/code>ph\u1ee5 \u0111\u1ec3 x\u00e1c nh\u1eadn r\u1eb1ng m\u00e3 th\u00f4ng b\u00e1o h\u1ee3p l\u1ec7 v\u00e0 c\u00f3 c\u00e1c quy\u1ec1n mong \u0111\u1ee3i.<\/p>\n<pre class=\"wp-block-code\"><code>vault token lookup<\/code><\/pre>\n<p>3.\u0110\u1ea7u ra c\u1ee7a l\u1ec7nh n\u00e0y s\u1ebd bao g\u1ed3m nh\u1eefng th\u00f4ng tin sau:<\/p>\n<pre class=\"wp-block-code\"><code>policies            &#91;root]\n<\/code><\/pre>\n<h3 id=\"the-kv-secret-backend\">Ph\u1ea7n cu\u1ed1i b\u00ed m\u1eadt c\u1ee7a KV<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#the-kv-secret-backend\"><\/a><\/h3>\n<p>Backend Vault l\u00e0 c\u01a1 ch\u1ebf c\u1ed1t l\u00f5i m\u00e0 Vault s\u1eed d\u1ee5ng \u0111\u1ec3 cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng \u0111\u1ecdc v\u00e0 ghi c\u00e1c gi\u00e1 tr\u1ecb b\u00ed m\u1eadt. Backend \u0111\u01a1n gi\u1ea3n nh\u1ea5t \u0111\u1ec3 minh h\u1ecda ch\u1ee9c n\u0103ng n\u00e0y l\u00e0&nbsp;<a href=\"https:\/\/www.vaultproject.io\/docs\/secrets\/kv\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">backend KV<\/a>&nbsp;. Backend n\u00e0y cho ph\u00e9p kh\u00e1ch h\u00e0ng ghi c\u00e1c c\u1eb7p kh\u00f3a\/gi\u00e1 tr\u1ecb (ch\u1eb3ng h\u1ea1n nh\u01b0&nbsp;<code>mysecret=apikey<\/code>) c\u00f3 th\u1ec3 \u0111\u1ecdc sau.<\/p>\n<p>1.K\u00edch ho\u1ea1t ch\u1ee9c n\u0103ng b\u00ed m\u1eadt b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng&nbsp;<code>enable<\/code>l\u1ec7nh ph\u1ee5 Vault.<\/p>\n<pre class=\"wp-block-code\"><code>vault secrets enable -version=2 kv<\/code><\/pre>\n<p>2.Vi\u1ebft gi\u00e1 tr\u1ecb v\u00ed d\u1ee5 v\u00e0o ch\u01b0\u01a1ng tr\u00ecnh ph\u1ee5 tr\u1ee3 KV b\u1eb1ng&nbsp;<code>kv put<\/code>l\u1ec7nh ph\u1ee5 Vault.<\/p>\n<pre class=\"wp-block-code\"><code>vault kv put kv\/myservice api_token=secretvalue<\/code><\/pre>\n<p>L\u1ec7nh n\u00e0y s\u1ebd tr\u1ea3 v\u1ec1 k\u1ebft qu\u1ea3 t\u01b0\u01a1ng t\u1ef1 nh\u01b0 sau:<\/p>\n<pre class=\"wp-block-code\"><code>Key              Value\n---              -----\ncreated_time     2019-03-31T04:35:38.631167678Z\ndeletion_time    n\/a\ndestroyed        false\nversion          1<\/code><\/pre>\n<p>3.\u0110\u1ecdc gi\u00e1 tr\u1ecb n\u00e0y t\u1eeb&nbsp;<code>kv\/myservice<\/code>\u0111\u01b0\u1eddng d\u1eabn.<\/p>\n<pre class=\"wp-block-code\"><code>vault kv get kv\/myservice<\/code><\/pre>\n<p>L\u1ec7nh n\u00e0y s\u1ebd tr\u1ea3 v\u1ec1 k\u1ebft qu\u1ea3 t\u01b0\u01a1ng t\u1ef1 nh\u01b0 sau:<\/p>\n<pre class=\"wp-block-code\"><code>====== Metadata ======\nKey              Value\n---              -----\ncreated_time     2019-03-31T04:35:38.631167678Z\ndeletion_time    n\/a\ndestroyed        false\nversion          1\n\n====== Data ======\nKey          Value\n---          -----\napi_token    secretvalue<\/code><\/pre>\n<p>4.Nhi\u1ec1u ti\u1ec7n \u00edch v\u00e0 t\u1eadp l\u1ec7nh ph\u00f9 h\u1ee3p h\u01a1n \u0111\u1ec3 x\u1eed l\u00fd \u0111\u1ea7u ra json. S\u1eed d\u1ee5ng&nbsp;<code>-format=json<\/code>c\u1edd \u0111\u1ec3 \u0111\u1ecdc th\u00eam m\u1ed9t l\u1ea7n n\u1eefa, v\u1edbi k\u1ebft qu\u1ea3 tr\u1ea3 v\u1ec1 d\u01b0\u1edbi d\u1ea1ng JSON.<\/p>\n<pre class=\"wp-block-code\"><code>vault kv get -format=json kv\/myservice\n<\/code><\/pre>\n<pre class=\"wp-block-code\"><code>{\n  \"request_id\": \"2734ea81-6f39-c017-4c73-2719b2018b65\",\n  \"lease_id\": \"\",\n  \"lease_duration\": 0,\n  \"renewable\": false,\n  \"data\": {\n\"data\": {\n  \"api_token\": \"secretvalue\"\n},\n\"metadata\": {\n  \"created_time\": \"2019-03-31T04:35:38.631167678Z\",\n  \"deletion_time\": \"\",\n  \"destroyed\": false,\n  \"version\": 1\n}\n  },\n  \"warnings\": null\n}<\/code><\/pre>\n<h3 id=\"policies\">Ch\u00ednh s\u00e1ch<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#policies\"><\/a><\/h3>\n<p>Cho \u0111\u1ebfn th\u1eddi \u0111i\u1ec3m n\u00e0y, ch\u00fang t\u00f4i \u0111\u00e3 th\u1ef1c hi\u1ec7n c\u00e1c l\u1ec7nh g\u1ecdi API \u0111\u1ebfn Vault b\u1eb1ng m\u00e3 th\u00f4ng b\u00e1o g\u1ed1c. C\u00e1c th\u00f4ng l\u1ec7 s\u1ea3n xu\u1ea5t t\u1ed1t nh\u1ea5t ch\u1ec9 ra r\u1eb1ng m\u00e3 th\u00f4ng b\u00e1o n\u00e0y hi\u1ebfm khi \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng v\u00e0 h\u1ea7u h\u1ebft c\u00e1c ho\u1ea1t \u0111\u1ed9ng n\u00ean \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n b\u1eb1ng c\u00e1c m\u00e3 th\u00f4ng b\u00e1o \u00edt \u0111\u1eb7c quy\u1ec1n h\u01a1n \u0111\u01b0\u1ee3c li\u00ean k\u1ebft v\u1edbi c\u00e1c ch\u00ednh s\u00e1ch \u0111\u01b0\u1ee3c ki\u1ec3m so\u00e1t.<\/p>\n<p>Ch\u00ednh s\u00e1ch \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh b\u1eb1ng c\u00e1ch ch\u1ec9 \u0111\u1ecbnh m\u1ed9t \u0111\u01b0\u1eddng d\u1eabn c\u1ee5 th\u1ec3 v\u00e0 t\u1eadp h\u1ee3p&nbsp;<em>c\u00e1c kh\u1ea3 n\u0103ng<\/em>&nbsp;m\u00e0 ng\u01b0\u1eddi d\u00f9ng \u0111\u01b0\u1ee3c ph\u00e9p tr\u00ean \u0111\u01b0\u1eddng d\u1eabn \u0111\u00f3. Trong c\u00e1c l\u1ec7nh tr\u01b0\u1edbc \u0111\u00e2y c\u1ee7a ch\u00fang t\u00f4i, \u0111\u01b0\u1eddng d\u1eabn l\u00e0&nbsp;<code>kv\/myservice<\/code>, v\u00ec v\u1eady ch\u00fang t\u00f4i c\u00f3 th\u1ec3 t\u1ea1o ch\u00ednh s\u00e1ch \u0111\u1ec3 ch\u1ec9 \u0111\u1ecdc b\u00ed m\u1eadt n\u00e0y v\u00e0 kh\u00f4ng th\u1ef1c hi\u1ec7n b\u1ea5t k\u1ef3 thao t\u00e1c n\u00e0o kh\u00e1c, bao g\u1ed3m \u0111\u1ecdc ho\u1eb7c li\u1ec7t k\u00ea b\u00ed m\u1eadt. Khi kh\u00f4ng c\u00f3 ch\u00ednh s\u00e1ch n\u00e0o t\u1ed3n t\u1ea1i cho m\u1ed9t \u0111\u01b0\u1eddng d\u1eabn c\u1ee5 th\u1ec3, Vault s\u1ebd t\u1eeb ch\u1ed1i c\u00e1c thao t\u00e1c theo m\u1eb7c \u0111\u1ecbnh.<\/p>\n<p>Trong tr\u01b0\u1eddng h\u1ee3p c\u1ee7a KV backend, Vault ph\u00e2n bi\u1ec7t c\u00e1c ho\u1ea1t \u0111\u1ed9ng tr\u00ean d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef, l\u00e0 c\u00e1c gi\u00e1 tr\u1ecb \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef th\u1ef1c t\u1ebf, v\u00e0 si\u00eau d\u1eef li\u1ec7u, bao g\u1ed3m th\u00f4ng tin nh\u01b0 l\u1ecbch s\u1eed phi\u00ean b\u1ea3n. Trong v\u00ed d\u1ee5 n\u00e0y, ch\u00fang t\u00f4i s\u1ebd t\u1ea1o ch\u00ednh s\u00e1ch \u0111\u1ec3 ki\u1ec3m so\u00e1t quy\u1ec1n truy c\u1eadp v\u00e0o d\u1eef li\u1ec7u kh\u00f3a\/gi\u00e1 tr\u1ecb.<\/p>\n<p>1.T\u1ea1o t\u1ec7p ch\u00ednh s\u00e1ch Vault sau.<\/p>\n<pre class=\"wp-block-code\"><code>path \"kv\/data\/myservice\" {\n  capabilities = &#91;\"read\"]\n}<\/code><\/pre>\n<p>Ch\u00ednh s\u00e1ch \u0111\u01a1n gi\u1ea3n n\u00e0y s\u1ebd cho ph\u00e9p b\u1ea5t k\u1ef3 m\u00e3 th\u00f4ng b\u00e1o n\u00e0o \u0111\u01b0\u1ee3c li\u00ean k\u1ebft v\u1edbi n\u00f3 \u0111\u1ecdc \u0111\u01b0\u1ee3c b\u00ed m\u1eadt \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef t\u1ea1i \u0111\u01b0\u1eddng d\u1eabn b\u00ed m\u1eadt KV&nbsp;<code>kv\/myservice<\/code>.<\/p>\n<p>2.T\u1ea3i ch\u00ednh s\u00e1ch n\u00e0y v\u00e0o Vault b\u1eb1ng l\u1ec7nh&nbsp;<code>policy write<\/code>ph\u1ee5. L\u1ec7nh sau \u0111\u00e2y \u0111\u1eb7t t\u00ean cho ch\u00ednh s\u00e1ch \u0111\u00e3 \u0111\u1ec1 c\u1eadp \u1edf tr\u00ean&nbsp;<code>read-myservice<\/code>.<\/p>\n<pre class=\"wp-block-code\"><code>vault policy write read-myservice policy.hcl\n<\/code><\/pre>\n<p>3.\u0110\u1ec3 minh h\u1ecda vi\u1ec7c s\u1eed d\u1ee5ng ch\u00ednh s\u00e1ch n\u00e0y, h\u00e3y t\u1ea1o m\u1ed9t m\u00e3 th\u00f4ng b\u00e1o m\u1edbi c\u00f3 li\u00ean quan \u0111\u1ebfn ch\u00ednh s\u00e1ch m\u1edbi n\u00e0y.<\/p>\n<pre class=\"wp-block-code\"><code>vault token create -policy=read-myservice\n<\/code><\/pre>\n<p>L\u1ec7nh n\u00e0y s\u1ebd tr\u1ea3 v\u1ec1 k\u1ebft qu\u1ea3 t\u01b0\u01a1ng t\u1ef1 nh\u01b0 sau.<\/p>\n<pre class=\"wp-block-code\"><code>Key                  Value\n---                  -----\ntoken                s.YdpJWRRaEIgdOW4y72sSVygy\ntoken_accessor       07akQfzg0TDjj3YoZSGMPkHA\ntoken_duration       768h\ntoken_renewable      true\ntoken_policies       &#91;\"default\" \"read-myservice\"]\nidentity_policies    &#91;]\npolicies             &#91;\"default\" \"read-myservice\"]<\/code><\/pre>\n<p>4.M\u1edf m\u1ed9t c\u1eeda s\u1ed5 ho\u1eb7c tab terminal kh\u00e1c v\u00e0 \u0111\u0103ng nh\u1eadp v\u00e0o c\u00f9ng m\u00e1y ch\u1ee7 m\u00e0 Vault \u0111ang ch\u1ea1y. \u0110\u1eb7t&nbsp;<code>VAULT_ADDR<\/code>\u0111\u1ec3 \u0111\u1ea3m b\u1ea3o r\u1eb1ng&nbsp;<code>vault<\/code>c\u00e1c l\u1ec7nh m\u1edbi tr\u1ecf \u0111\u1ebfn phi\u00ean b\u1ea3n c\u1ee5c b\u1ed9 c\u1ee7a Vault, thay th\u1ebf&nbsp;<code>example.com<\/code>b\u1eb1ng t\u00ean mi\u1ec1n c\u1ee7a b\u1ea1n.<\/p>\n<pre class=\"wp-block-code\"><code>export VAULT_ADDR=https:\/\/example.com:8200\n<\/code><\/pre>\n<p>5.\u0110\u1eb7t&nbsp;<code>VAULT_TOKEN<\/code>bi\u1ebfn m\u00f4i tr\u01b0\u1eddng th\u00e0nh m\u00e3 th\u00f4ng b\u00e1o m\u1edbi v\u1eeba \u0111\u01b0\u1ee3c t\u1ea1o b\u1edfi&nbsp;<code>token create<\/code>l\u1ec7nh. H\u00e3y nh\u1edb r\u1eb1ng m\u00e3 th\u00f4ng b\u00e1o th\u1ef1c t\u1ebf c\u1ee7a b\u1ea1n s\u1ebd kh\u00e1c v\u1edbi m\u00e3 th\u00f4ng b\u00e1o trong v\u00ed d\u1ee5 n\u00e0y.<\/p>\n<pre class=\"wp-block-code\"><code>export VAULT_TOKEN=s.YdpJWRRaEIgdOW4y72sSVygy<\/code><\/pre>\n<p>6.B\u00e2y gi\u1edd h\u00e3y th\u1eed \u0111\u1ecdc b\u00ed m\u1eadt c\u1ee7a ch\u00fang ta trong Vault t\u1ea1i&nbsp;<code>kv\/myservice<\/code>con \u0111\u01b0\u1eddng n\u00e0y.<\/p>\n<pre class=\"wp-block-code\"><code>vault kv get kv\/myservice<\/code><\/pre>\n<p>Vault s\u1ebd tr\u1ea3 v\u1ec1 d\u1eef li\u1ec7u kh\u00f3a\/gi\u00e1 tr\u1ecb.<\/p>\n<pre class=\"wp-block-code\"><code>====== Metadata ======\nKey              Value\n---              -----\ncreated_time     2019-03-31T04:35:38.631167678Z\ndeletion_time    n\/a\ndestroyed        false\nversion          1\n\n====== Data ======\nKey          Value\n---          -----\napi_token    secretvalue<\/code><\/pre>\n<p>7.\u0110\u1ec3 minh h\u1ecda c\u00e1c ho\u1ea1t \u0111\u1ed9ng b\u1ecb c\u1ea5m, h\u00e3y th\u1eed&nbsp;<code>list<\/code>t\u1ea5t c\u1ea3 c\u00e1c b\u00ed m\u1eadt trong ph\u1ea7n ph\u1ee5 tr\u1ee3 KV.<\/p>\n<pre class=\"wp-block-code\"><code>vault kv list kv\/\n<\/code><\/pre>\n<p>Vault n\u00ean t\u1eeb ch\u1ed1i y\u00eau c\u1ea7u n\u00e0y.<\/p>\n<pre class=\"wp-block-code\"><code>Error listing kv\/metadata: Error making API request.\n\nURL: GET https:\/\/example.com:8200\/v1\/kv\/metadata?list=true\nCode: 403. Errors:\n\n* 1 error occurred:\n        * permission denied<\/code><\/pre>\n<p>8.Ng\u01b0\u1ee3c l\u1ea1i, h\u00e3y th\u1eed th\u1ef1c hi\u1ec7n thao t\u00e1c t\u01b0\u01a1ng t\u1ef1 trong c\u1eeda s\u1ed5 thi\u1ebft b\u1ecb \u0111\u1ea7u cu\u1ed1i tr\u01b0\u1edbc \u0111\u00f3 \u0111\u00e3 \u0111\u01b0\u1ee3c c\u1ea5u h\u00ecnh b\u1eb1ng m\u00e3 th\u00f4ng b\u00e1o g\u1ed1c.<\/p>\n<pre class=\"wp-block-code\"><code>vault kv list kv\/\n<\/code><\/pre>\n<pre class=\"wp-block-code\"><code>Keys\n----\nmyservice<\/code><\/pre>\n<p>M\u00e3 th\u00f4ng b\u00e1o g\u1ed1c ph\u1ea3i c\u00f3 \u0111\u1ee7 quy\u1ec1n \u0111\u1ec3 tr\u1ea3 v\u1ec1 danh s\u00e1ch t\u1ea5t c\u1ea3 c\u00e1c kh\u00f3a b\u00ed m\u1eadt theo&nbsp;<code>kv\/<\/code>\u0111\u01b0\u1eddng d\u1eabn.<\/p>\n<h3 id=\"authentication-methods\">Ph\u01b0\u01a1ng ph\u00e1p x\u00e1c th\u1ef1c<a href=\"https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/#authentication-methods\"><\/a><\/h3>\n<p>Tr\u00ean th\u1ef1c t\u1ebf, khi c\u00e1c d\u1ecbch v\u1ee5 y\u00eau c\u1ea7u gi\u00e1 tr\u1ecb b\u00ed m\u1eadt \u0111\u01b0\u1ee3c tri\u1ec3n khai, kh\u00f4ng n\u00ean ph\u00e2n ph\u1ed1i m\u00e3 th\u00f4ng b\u00e1o nh\u01b0 m\u1ed9t ph\u1ea7n c\u1ee7a qu\u00e1 tr\u00ecnh tri\u1ec3n khai ho\u1eb7c qu\u1ea3n l\u00fd c\u1ea5u h\u00ecnh. Thay v\u00e0o \u0111\u00f3, c\u00e1c d\u1ecbch v\u1ee5 n\u00ean t\u1ef1 x\u00e1c th\u1ef1c v\u1edbi Vault \u0111\u1ec3 c\u00f3 \u0111\u01b0\u1ee3c m\u00e3 th\u00f4ng b\u00e1o c\u00f3 th\u1eddi h\u1ea1n s\u1eed d\u1ee5ng h\u1ea1n ch\u1ebf. \u0110i\u1ec1u n\u00e0y \u0111\u1ea3m b\u1ea3o r\u1eb1ng th\u00f4ng tin x\u00e1c th\u1ef1c cu\u1ed1i c\u00f9ng s\u1ebd h\u1ebft h\u1ea1n v\u00e0 kh\u00f4ng th\u1ec3 s\u1eed d\u1ee5ng l\u1ea1i n\u1ebfu ch\u00fang b\u1ecb r\u00f2 r\u1ec9 ho\u1eb7c ti\u1ebft l\u1ed9.<\/p>\n<p>Vault h\u1ed7 tr\u1ee3 nhi\u1ec1u lo\u1ea1i ph\u01b0\u01a1ng ph\u00e1p x\u00e1c th\u1ef1c. V\u00ed d\u1ee5, ph\u01b0\u01a1ng ph\u00e1p x\u00e1c th\u1ef1c Kubernetes c\u00f3 th\u1ec3 truy xu\u1ea5t m\u00e3 th\u00f4ng b\u00e1o cho t\u1eebng pod. L\u00e0 m\u1ed9t v\u00ed d\u1ee5 minh h\u1ecda \u0111\u01a1n gi\u1ea3n, c\u00e1c b\u01b0\u1edbc sau \u0111\u00e2y s\u1ebd tr\u00ecnh b\u00e0y c\u00e1ch s\u1eed d\u1ee5ng ph\u01b0\u01a1ng ph\u00e1p&nbsp;<a href=\"https:\/\/www.vaultproject.io\/docs\/auth\/approle.html\" target=\"_blank\" rel=\"noreferrer noopener\">AppRole<\/a>&nbsp;.<\/p>\n<p>Ph\u01b0\u01a1ng ph\u00e1p x\u00e1c th\u1ef1c AppRole ho\u1ea1t \u0111\u1ed9ng b\u1eb1ng c\u00e1ch y\u00eau c\u1ea7u kh\u00e1ch h\u00e0ng cung c\u1ea5p hai th\u00f4ng tin: AppRole RoleID v\u00e0 SecretID. Ph\u01b0\u01a1ng ph\u00e1p ti\u1ebfp c\u1eadn khuy\u1ebfn ngh\u1ecb \u0111\u1ec3 s\u1eed d\u1ee5ng ph\u01b0\u01a1ng ph\u00e1p n\u00e0y l\u00e0 l\u01b0u tr\u1eef hai th\u00f4ng tin n\u00e0y \u1edf c\u00e1c v\u1ecb tr\u00ed ri\u00eang bi\u1ec7t, v\u00ec ch\u1ec9 m\u1ed9t th\u00f4ng tin l\u00e0 kh\u00f4ng \u0111\u1ee7 \u0111\u1ec3 x\u00e1c th\u1ef1c v\u1edbi Vault, nh\u01b0ng khi k\u1ebft h\u1ee3p l\u1ea1i, ch\u00fang cho ph\u00e9p kh\u00e1ch h\u00e0ng truy xu\u1ea5t m\u00e3 th\u00f4ng b\u00e1o Vault h\u1ee3p l\u1ec7. V\u00ed d\u1ee5, trong d\u1ecbch v\u1ee5 s\u1ea3n xu\u1ea5t, RoleID c\u00f3 th\u1ec3 c\u00f3 trong t\u1ec7p c\u1ea5u h\u00ecnh c\u1ee7a d\u1ecbch v\u1ee5, trong khi SecretID c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c cung c\u1ea5p d\u01b0\u1edbi d\u1ea1ng bi\u1ebfn m\u00f4i tr\u01b0\u1eddng.<\/p>\n<p>1.B\u1eadt ph\u01b0\u01a1ng th\u1ee9c x\u00e1c th\u1ef1c AppRole b\u1eb1ng l\u1ec7nh&nbsp;<code>auth<\/code>ph\u1ee5. Nh\u1edb th\u1ef1c hi\u1ec7n c\u00e1c b\u01b0\u1edbc n\u00e0y trong c\u1eeda s\u1ed5 terminal v\u1edbi m\u00e3 th\u00f4ng b\u00e1o g\u1ed1c \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef trong&nbsp;<code>VAULT_TOKEN<\/code>bi\u1ebfn m\u00f4i tr\u01b0\u1eddng, n\u1ebfu kh\u00f4ng l\u1ec7nh Vault s\u1ebd kh\u00f4ng th\u00e0nh c\u00f4ng.<\/p>\n<pre class=\"wp-block-code\"><code>vault auth enable approle\n<\/code><\/pre>\n<p>2.T\u1ea1o m\u1ed9t vai tr\u00f2 \u0111\u01b0\u1ee3c \u0111\u1eb7t t\u00ean. \u0110i\u1ec1u n\u00e0y s\u1ebd \u0111\u1ecbnh ngh\u0129a m\u1ed9t vai tr\u00f2 c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 &#8220;\u0111\u0103ng nh\u1eadp&#8221; v\u00e0o Vault v\u00e0 l\u1ea5y m\u00e3 th\u00f4ng b\u00e1o c\u00f3 ch\u00ednh s\u00e1ch li\u00ean k\u1ebft v\u1edbi n\u00f3. L\u1ec7nh sau \u0111\u00e2y t\u1ea1o m\u1ed9t vai tr\u00f2 \u0111\u01b0\u1ee3c \u0111\u1eb7t t\u00ean named&nbsp;<code>my-application<\/code>t\u1ea1o ra c\u00e1c m\u00e3 th\u00f4ng b\u00e1o c\u00f3 hi\u1ec7u l\u1ef1c trong 10 ph\u00fat s\u1ebd c\u00f3&nbsp;<code>read-myservice<\/code>ch\u00ednh s\u00e1ch li\u00ean k\u1ebft v\u1edbi ch\u00fang.<\/p>\n<pre class=\"wp-block-code\"><code>vault write auth\/approle\/role\/my-application \\\n    token_ttl=10m \\\n    policies=read-myservice<\/code><\/pre>\n<p>3.Truy xu\u1ea5t RoleID c\u1ee7a vai tr\u00f2 \u0111\u01b0\u1ee3c \u0111\u1eb7t t\u00ean, x\u00e1c \u0111\u1ecbnh duy nh\u1ea5t AppRole. L\u01b0u \u00fd gi\u00e1 tr\u1ecb n\u00e0y \u0111\u1ec3 s\u1eed d\u1ee5ng sau.<\/p>\n<pre class=\"wp-block-code\"><code>vault read auth\/approle\/role\/my-application\/role-id<\/code><\/pre>\n<pre class=\"wp-block-code\"><code>Key        Value\n---        -----\nrole_id    147cd412-d1c2-4d2c-c57e-d660da0b1fa8<\/code><\/pre>\n<p>Trong tr\u01b0\u1eddng h\u1ee3p v\u00ed d\u1ee5 n\u00e0y, RoleID l\u00e0&nbsp;<code>147cd412-d1c2-4d2c-c57e-d660da0b1fa8<\/code>. L\u01b0u \u00fd r\u1eb1ng gi\u00e1 tr\u1ecb c\u1ee7a b\u1ea1n s\u1ebd kh\u00e1c.<\/p>\n<p>4.Cu\u1ed1i c\u00f9ng, h\u00e3y \u0111\u1ecdc secret-id c\u1ee7a vai tr\u00f2 \u0111\u01b0\u1ee3c \u0111\u1eb7t t\u00ean v\u00e0 l\u01b0u gi\u00e1 tr\u1ecb n\u00e0y \u0111\u1ec3 s\u1eed d\u1ee5ng sau.<\/p>\n<pre class=\"wp-block-code\"><code>vault write -f auth\/approle\/role\/my-application\/secret-id\n<\/code><\/pre>\n<pre class=\"wp-block-code\"><code>Key                   Value\n---                   -----\nsecret_id             2225c0c3-9b9f-9a9c-a0a5-10bf06df7b25\nsecret_id_accessor    30cbef6a-8834-94fe-6cf3-cf2e4598dd6a<\/code><\/pre>\n<p>Trong v\u00ed d\u1ee5 \u0111\u1ea7u ra n\u00e0y, SecretID l\u00e0&nbsp;<code>2225c0c3-9b9f-9a9c-a0a5-10bf06df7b25<\/code>.<\/p>\n<p>5.S\u1eed d\u1ee5ng c\u00e1c gi\u00e1 tr\u1ecb n\u00e0y \u0111\u1ec3 t\u1ea1o m\u00e3 th\u00f4ng b\u00e1o s\u1eed d\u1ee5ng h\u1ea1n ch\u1ebf b\u1eb1ng c\u00e1ch th\u1ef1c hi\u1ec7n&nbsp;<code>write<\/code>thao t\u00e1c v\u1edbi API AppRole. Thay th\u1ebf c\u00e1c gi\u00e1 tr\u1ecb RoleID v\u00e0 SecretID t\u1ea1i \u0111\u00e2y b\u1eb1ng gi\u00e1 tr\u1ecb c\u1ee7a ri\u00eang b\u1ea1n.<\/p>\n<pre class=\"wp-block-code\"><code>vault write auth\/approle\/login \\\n    role_id=147cd412-d1c2-4d2c-c57e-d660da0b1fa8 \\\n    secret_id=2225c0c3-9b9f-9a9c-a0a5-10bf06df7b25<\/code><\/pre>\n<p>\u0110\u1ea7u ra k\u1ebft qu\u1ea3 s\u1ebd bao g\u1ed3m m\u1ed9t m\u00e3 th\u00f4ng b\u00e1o m\u1edbi, trong tr\u01b0\u1eddng h\u1ee3p v\u00ed d\u1ee5 n\u00e0y l\u00e0<code>s.coRl4UR6YL1sqw1jXhJbuZfq<\/code><\/p>\n<pre class=\"wp-block-code\"><code>Key                     Value\n---                     -----\ntoken                   s.3uu4vwFO8D1mG5S76IG04mck\ntoken_accessor          fi3aW4W9kZNB3FAC20HRXeoT\ntoken_duration          10m\ntoken_renewable         true\ntoken_policies          &#91;\"default\" \"read-myservice\"]\nidentity_policies       &#91;]\npolicies                &#91;\"default\" \"read-myservice\"]\ntoken_meta_role_name    my-application<\/code><\/pre>\n<p>6.M\u1edf th\u00eam m\u1ed9t tab ho\u1eb7c c\u1eeda s\u1ed5 thi\u1ebft b\u1ecb \u0111\u1ea7u cu\u1ed1i v\u00e0 \u0111\u0103ng nh\u1eadp v\u00e0o m\u00e1y ch\u1ee7 t\u1eeb xa \u0111ang ch\u1ea1y Vault.<\/p>\n<p>7.M\u1ed9t l\u1ea7n n\u1eefa, h\u00e3y \u0111\u1eb7t&nbsp;<code>VAULT_ADDR<\/code>bi\u1ebfn m\u00f4i tr\u01b0\u1eddng th\u00e0nh gi\u00e1 tr\u1ecb ch\u00ednh x\u00e1c \u0111\u1ec3 giao ti\u1ebfp v\u1edbi phi\u00ean b\u1ea3n Vault c\u1ee5c b\u1ed9 c\u1ee7a b\u1ea1n.<\/p>\n<pre class=\"wp-block-code\"><code>export VAULT_ADDR=https:\/\/example.com:8200<\/code><\/pre>\n<p>8.\u0110\u1eb7t&nbsp;<code>VAULT_TOKEN<\/code>bi\u1ebfn m\u00f4i tr\u01b0\u1eddng th\u00e0nh m\u00e3 th\u00f4ng b\u00e1o m\u1edbi \u0111\u01b0\u1ee3c t\u1ea1o n\u00e0y. T\u1eeb \u0111\u1ea7u ra v\u00ed d\u1ee5 tr\u01b0\u1edbc, \u0111\u00e2y s\u1ebd l\u00e0 k\u1ebft qu\u1ea3 sau (l\u01b0u \u00fd r\u1eb1ng m\u00e3 th\u00f4ng b\u00e1o c\u1ee7a b\u1ea1n s\u1ebd kh\u00e1c).<\/p>\n<pre class=\"wp-block-code\"><code>export VAULT_TOKEN=s.3uu4vwFO8D1mG5S76IG04mck9.<\/code><\/pre>\n<p>9.\u0110\u1ecdc \u0111\u01b0\u1eddng d\u1eabn KV m\u00e0 m\u00e3 th\u00f4ng b\u00e1o n\u00e0y c\u00f3 th\u1ec3 truy c\u1eadp.<\/p>\n<pre class=\"wp-block-code\"><code>vault kv get kv\/myservice<\/code><\/pre>\n<p>V\u00ed d\u1ee5 n\u00e0y ph\u1ea3i d\u1ec5 \u0111\u1ecdc v\u00e0 d\u1ec5 hi\u1ec3u.<\/p>\n<p>10.N\u1ebfu b\u1ea1n \u0111\u1ecdc gi\u00e1 tr\u1ecb n\u00e0y b\u1eb1ng m\u00e3 th\u00f4ng b\u00e1o Vault n\u00e0y sau h\u01a1n 10 ph\u00fat, m\u00e3 th\u00f4ng b\u00e1o s\u1ebd h\u1ebft h\u1ea1n v\u00e0 m\u1ecdi ho\u1ea1t \u0111\u1ed9ng \u0111\u1ecdc b\u1eb1ng m\u00e3 th\u00f4ng b\u00e1o s\u1ebd b\u1ecb t\u1eeb ch\u1ed1i. Th\u1ef1c hi\u1ec7n m\u1ed9t&nbsp;<code>vault write auth\/approle\/login<\/code>ho\u1ea1t \u0111\u1ed9ng kh\u00e1c (chi ti\u1ebft trong b\u01b0\u1edbc 5) c\u00f3 th\u1ec3 t\u1ea1o m\u00e3 th\u00f4ng b\u00e1o m\u1edbi \u0111\u1ec3 s\u1eed d\u1ee5ng.<\/p>\n<h2 id=\"more-information\">Th\u00f4ng tin th\u00eam<\/h2>\n<p>B\u1ea1n c\u00f3 th\u1ec3 mu\u1ed1n tham kh\u1ea3o c\u00e1c ngu\u1ed3n sau \u0111\u1ec3 bi\u1ebft th\u00eam th\u00f4ng tin v\u1ec1 ch\u1ee7 \u0111\u1ec1 n\u00e0y. M\u1eb7c d\u00f9 ch\u00fang t\u00f4i cung c\u1ea5p v\u1edbi hy v\u1ecdng r\u1eb1ng ch\u00fang s\u1ebd h\u1eefu \u00edch, nh\u01b0ng xin l\u01b0u \u00fd r\u1eb1ng ch\u00fang t\u00f4i kh\u00f4ng th\u1ec3 \u0111\u1ea3m b\u1ea3o t\u00ednh ch\u00ednh x\u00e1c ho\u1eb7c t\u00ednh k\u1ecbp th\u1eddi c\u1ee7a c\u00e1c t\u00e0i li\u1ec7u \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef b\u00ean ngo\u00e0i.<\/p>\n<ul>\n<li><a href=\"https:\/\/www.vaultproject.io\/docs\/\" target=\"_blank\" rel=\"noreferrer noopener\">T\u1ed5ng quan v\u1ec1 t\u00e0i li\u1ec7u Vault<\/a><\/li>\n<li><a href=\"https:\/\/learn.hashicorp.com\/vault\/day-one\/ops-reference-architecture\" target=\"_blank\" rel=\"noreferrer noopener\">Ki\u1ebfn tr\u00fac tham chi\u1ebfu Vault v\u00e0 c\u00e1c ph\u01b0\u01a1ng ph\u00e1p hay nh\u1ea5t<\/a><\/li>\n<li><a href=\"https:\/\/www.vaultproject.io\/docs\/secrets\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">\u0110\u1ed9ng c\u01a1 b\u00ed m\u1eadt c\u1ee7a Vault<\/a><\/li>\n<li><a href=\"https:\/\/www.vaultproject.io\/docs\/auth\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">Ph\u01b0\u01a1ng ph\u00e1p x\u00e1c th\u1ef1c Vault<\/a><\/li>\n<\/ul>\n<p>Ngu\u1ed3n: https:\/\/www.linode.com\/docs\/guides\/use-hashicorp-vault-for-secret-management\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>HashiCorp Vault&nbsp;l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 qu\u1ea3n l\u00fd b\u00ed m\u1eadt gi\u00fap cung c\u1ea5p quy\u1ec1n truy c\u1eadp an to\u00e0n, t\u1ef1 \u0111\u1ed9ng v\u00e0o d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m. Vault \u0111\u00e1p \u1ee9ng c\u00e1c tr\u01b0\u1eddng h\u1ee3p s\u1eed d\u1ee5ng n\u00e0y b\u1eb1ng c\u00e1ch gh\u00e9p c\u00e1c ph\u01b0\u01a1ng ph\u00e1p x\u00e1c th\u1ef1c (nh\u01b0 m\u00e3 th\u00f4ng b\u00e1o \u1ee9ng d\u1ee5ng) v\u1edbi c\u00e1c c\u00f4ng c\u1ee5 b\u00ed m\u1eadt (nh\u01b0 c\u1eb7p<\/p>\n","protected":false},"author":1,"featured_media":36259,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[128],"tags":[],"class_list":["post-35030","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vault"],"_links":{"self":[{"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/posts\/35030","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/comments?post=35030"}],"version-history":[{"count":0,"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/posts\/35030\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/media\/36259"}],"wp:attachment":[{"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/media?parent=35030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/categories?post=35030"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jupitek.maudemo.vip\/index.php\/wp-json\/wp\/v2\/tags?post=35030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}