From d00c7211ecbe7e6201122d946d1764796eb87c79 Mon Sep 17 00:00:00 2001 From: Jiffin Tony Thottan Date: Tue, 29 Jun 2021 18:11:37 +0530 Subject: [PATCH] doc/radosgw/vault: update the vault documentation The details about vault agent specified twice the doc, removing the additional reference from `vault token` section. Signed-off-by: Jiffin Tony Thottan --- doc/radosgw/vault.rst | 54 +------------------------------------------ 1 file changed, 1 insertion(+), 53 deletions(-) diff --git a/doc/radosgw/vault.rst b/doc/radosgw/vault.rst index 0f3cb8fd121..9a5217998be 100644 --- a/doc/radosgw/vault.rst +++ b/doc/radosgw/vault.rst @@ -174,58 +174,6 @@ Adjust these settinsg to match your configuration. For security reasons, the token file must be readable by the Object Gateway only. -You might set up vault agent as follows:: - - vault write auth/approle/role/rgw-ap \ - token_policies=rgw-transit-policy,default \ - token_max_ttl=60m - -Change the policy here to match your configuration. - -Get the role-id:: - - vault read auth/approle/role/rgw-ap/role-id -format=json | \ - jq -r .data.role_id - -Store the output in some file, such as /usr/local/etc/vault/.rgw-ap-role-id - -Get the secret-id:: - - vault read auth/approle/role/rgw-ap/role-id -format=json | \ - jq -r .data.role_id - -Store the output in some file, such as /usr/local/etc/vault/.rgw-ap-secret-id - -Create configuration for the Vault agent, such as:: - - pid_file = "/run/rgw-vault-agent-pid" - auto_auth { - method "AppRole" { - mount_path = "auth/approle" - config = { - role_id_file_path ="/usr/local/etc/vault/.rgw-ap-role-id" - secret_id_file_path ="/usr/local/etc/vault/.rgw-ap-secret-id" - remove_secret_id_file_after_reading ="false" - } - } - sink "file" { - config = { - path = "/run/.rgw-vault-token" - } - } - } - vault { - address = "https://vault-server-fqdn:8200" - } - -Then use systemctl or another method of your choice to run -a persistent daemon with the following arguments:: - - /usr/local/bin/vault agent -config=/usr/local/etc/vault/rgw-agent.hcl - -Once the vault agent is running, the token file should be populated -with a valid token. - Vault agent ----------- @@ -345,7 +293,7 @@ The command above creates a keyring, which contains a key of type ``aes256-gcm96`` by default. To verify that the key was correctly created, use the following command:: - vault read transit/mybucketkey + vault read transit/keys/mybucketkey Sample output::