$ sudo vault server --config vault.example.com.config $ export VAULT_ADDR="https://vault.example.com:8200" $ vault status $ vault init $ vault unseal $ vault mounts $ vault write /secret/secret value="secret" $ vault list /secret $ vault auth $ vault token-create -policy=default $ vault policy-write ita policy.hcl $ vault auth-enable github $ vault write auth/github/config organization=IT-Administrator $ vault write auth/github/map/teams/administrators value=root $ vault auth -method=github token= $ vault mount ssh $ vault-ssh-helper -verify-only -config=/etc/vault-ssh-helper.d/config.hcl $ vault write ssh/roles/ec2instance key_type=otp default_user=ec2-user > cidr_list=w.x.y.z/32 $ vault write ssh/creds/ec2instance ip=w.x.y.z $ vault ssh -role ec2instance ec2-user@w.x.y.z $ grep 'avc' /var/log/audit/audit.log | audit2allow -R -M vault.allow $ semodule -i vault.allow.pp $ vault mount mysql $ vault write /mysql/config/connection connection_url= "user:password@tcp(w.x.y.z:3306)/" $ vault write /mysql/config/lease lease=1h lease_max=24h $ vault write /mysql/roles/readonly sql="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" $ vault list /mysql/roles $ vault read /mysql/roles/readonly $ vault read /mysql/creds/readonly $ vault mount -path mysql2 mysql $ vault audit-enable syslog tag="vault" facility="AUTH"