Skip to content

vault

2026-01-07

general

  • Set address
export VAULT_ADDR='http://127.0.0.1:8200'
  • Enable path
vault secrets enable -path=jenkins kv-v2
  • Login
vault login

secrets

  • Write secrets
vault kv put jenkins/szalek1/myapp/database username=dbuserA password=dbpassA
vault kv put jenkins/szalek1/myapp/api key=aaa url=bbb
  • Read secrets
vault kv get jenkins/szalek1/myapp/database
vault kv get jenkins/szalek1/myapp/api

role

  • Create role
vault write auth/jwt/role/jenkins-szalek1-role -<<EOF
{
  "role_type": "jwt",
  "bound_audiences": "vault",
  "user_claim": "sub",
  "policies": "jenkins-szalek1-policy",
  "bound_claims": {
    "job_name": ["szalek1"]
  },
  "ttl": "1h"
}
EOF
  • List and read role
vault list auth/jwt/role/
vault read auth/jwt/role/jenkins-szalek1-role

policy

  • Create a policy: 
vault policy write jenkins-szalek1-policy -<<'EOF'

path "jenkins/data/szalek1/*" {
  capabilities = ["read"]
}

path "jenkins/metadata/szalek1/*" {
  capabilities = ["read", "list"]
}

path "auth/token/create" {
  capabilities = ["create", "update"]
}

EOF
  • List and read policy
vault policy list
vault policy read jenkins-szalek1-policy