Vault configuration
Connect to vault
Set those variables according to your deployment:
bash
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=s.jyH1vmrOmkZ0FZZ0NZtgRenS
You can test the authentication running the following command: ```` $ vault status
Type: shamir Sealed: false Key Shares: 1 Key Threshold: 1 Unseal Progress: 0 Unseal Nonce: Version: 1.3.4 Cluster Name: vault-cluster-650930cf Cluster ID: 9f40327d-ec71-9655-b728-7588ce47d0b4
High-Availability Enabled: false ```
Create the following policy files
peatio-rails.hcl
# Manage the transit secrets engine
path "transit/keys/*" {
capabilities = [ "create", "read", "list" ]
}
# Encrypt secrets
path "transit/encrypt/*" {
capabilities = [ "create", "update" ]
}
# Renew tokens
path "auth/token/renew" {
capabilities = ["update"]
}
# Lookup tokens
path "auth/token/lookup" {
capabilities = ["update"]
}
finex-engine.hcl
path "transit/*" {
capabilities = [ "read" ]
}
# Decrypt secrets
path "transit/decrypt/*" {
capabilities = [ "create", "update" ]
}
# Use key for signing
path "transit/sign/*" {
capabilities = ["update"]
}
# Create transit key
path "transit/keys/*" {
capabilities = ["create"]
}
# Renew tokens
path "auth/token/renew" {
capabilities = ["update"]
}
# Lookup tokens
path "auth/token/lookup" {
capabilities = ["update"]
}
Create ACL groups
vault policy write peatio-rails peatio-rails.hcl
vault policy write finex-engine finex-engine.hcl
Create applications tokens
vault token create -policy=peatio-rails -period=30m
vault token create -policy=finex-engine -period=30m