Vault – Cheatsheet – Cans_blog

Wildcards 
* --> can only be at the end 
+ --> can be in between path

------------------------------------------------------

vault login
vault policy list
vault policy help

——————————————————
cat /etc/vault.d/admin-policy.hcl

 #############################
# ### Vault Policy - Admin ####
# #############################

# permit access to all sys backend configurations to administer Vault itself
# note that some sys/ paths require sudo
path "sys/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# manage Vault auth methods
path "auth/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage Vault identities
path "identity/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

——————————————————

vault policy write vault-admin /etc/vault.d/admin-policy.hcl

Success! Uploaded policy: vault-admin

——————————————————
vault policy read app-policy

path "kv/data/apps/*" {
  capabilities = ["read","create","update","delete","list"]
}
path "kv/metadata/*" {
  capabilities = ["read","create","update","list"]
}
path "kv/data/apps/hr/*" {
  capabilities = ["deny"]

}

——————————————————
vault token create -policy=app-policy

Key                  Value
---                  -----
token                hvs.CAESIGh01KavxJJn75FvrIv3lLMYuogr_am4mzKGhpPDWCSKGh4KHGh2cy5VRzN3bjlPaEFTNHAwcHhUWUQ2elZMMWg
token_accessor       XJozdFwyYE0yjfCea4Okibt9
token_duration       768h
token_renewable      true
token_policies       ["app-policy" "default"]
identity_policies    []


------------------------------------------------------

export VAULT_TOKEN=$(cat /tmp/token_file)

——————————————————

vault kv get kv/apps/frontend

==== Secret Path ====
kv/data/apps/frontend

======= Metadata =======
Key                Value
---                -----
created_time       2026-04-14T06:12:48.898828883Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

=== Data ===
Key    Value
---    -----
api    39dnwm2odm2aqcnsl203k

——————————————————
export -n VAULT_TOKEN
vault policy read hr-policy

——————————————————
vault login -method=userpass username=thomas

Password (will be hidden): 
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  hvs.CAESIKu8e82XozADFH5wVC89JWCPjU5E9a-16-43yWpIZ8vPGh4KHGh2cy43RWNrZVZsSFlJMWJFSThYUUJMWmI5Wks
token_accessor         6FrBWbMJIyrzFC3f1ZUWHbet
token_duration         768h
token_renewable        true
token_policies         ["default" "hr-policy"]
identity_policies      []
policies               ["default" "hr-policy"]
token_meta_username    thomas

——————————————————

vault kv get kv/apps/hr/employee/109

======== Secret Path ========
kv/data/apps/hr/employee/109

======= Metadata =======
Key                Value
---                -----
created_time       2026-04-14T06:12:49.3277166Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

=== Data ===
Key    Value
---    -----
id     103839829


------------------------------------------------------

vault kv put kv/apps/hr/employee/001 id=402948100

======== Secret Path ========
kv/data/apps/hr/employee/001

======= Metadata =======
Key Value
--- -----
created_time 2026-04-14T06:51:51.370934633Z
custom_metadata
deletion_time n/a
destroyed false
version 2

Find Number of tokens

vault list auth/token/accessors
Keys
----
pK2laNfobLPKSfQHidWHvwwN

Create a simple token

vault token create -policy=default -ttl=1h
Key Value
— —–
token hvs.CAESIC5YfEHWPoWNTkIx9D5IJlOaJHU5ZuDycy9zGJYw0vx4Gh4KHGh2cy5POFp6eHIwWDZyZ01QTWprWUN1SjAwV3A
token_accessor Wv12LMxC23ufFG4ChqqGbTzz
token_duration 1h
token_renewable true
token_policies [“default”]
identity_policies []
policies [“default”]

create batch token

vault token create -type=batch -policy=vault-admin -ttl=1h
Key                  Value
---                  -----
token                hvb.AAAAAQJwp2tpSGSEjjpfFKS5JmNdxBijU6luKO-EBeMoIZRzFP1BpDZ7yO_h0KjSMBwHB_0kt3Cz6-SnR7c2-v7O0egXHP3xhkCiDhqIE49SvSySA6twfBn3mPMUc4sJt_red_Qiplds_iolG5l2SbHY9VQB2nycw6RA2E_NbzTlNcb1aDc
token_accessor       n/a
token_duration       1h
token_renewable      false
token_policies       ["default" "vault-admin"]
identity_policies    []
policies             ["default" "vault-admin"]

Token Properties

vault token lookup $(cat /path/to/the/token)
Key                 Value
---                 -----
accessor            n/a
creation_time       1776246617
creation_ttl        1h
display_name        token
entity_id           n/a
expire_time         2026-02-22T03:00:17-04:00
explicit_max_ttl    0s
id                  hvb.AAAAAQJwp2tpSGSEjjpfFKS5JmNdxBijU6luKO-EBeMoIZRzFP1BpDZ7yO_h0KjSMBwHB_0kt3Cz6-SnR7c2-v7O0egXHP3xhkCiDhqIE49SvSySA6twfBn3mPMUc4sJt_red_Qiplds_iolG5l2SbHY9VQB2nycw6RA2E_NbzTlNcb1aDc
issue_time          2026-02-22T02:00:17-04:00
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [default vault-admin]
renewable           false
ttl                 58m16s
type                batch

Vault – Cheatsheet

YZ – MemoryBank kullanimi

Yazilim Güvenlik Scanleri