HashiCorp Vault | Getting started

Hi, there! It is a text version of the Vault webinar

Let’s go!

First of all, we have to download Vault or install it via your favorite packet manager. You can download the latest version of Vault from the official website — https://www.vaultproject.io/downloads

Or simply install it via brewbrew tap hashicorp/tap
brew install hashicorp/tap/vault

After successful installation, we can check that Vault in the PATH

Also, we need docker for this tutorial, I hope you have already installed it earlier

In this tutorial, we are going to use Consul as the backend for our Vault. The Consuls is basically key-value storagebrew tap hashicorp/tap
brew install hashicorp/tap/consul

After this, we can check that installation was successful

Now we have to clone the repo — we can do it by the next commandgit clone https://github.com/spkane/vault-local-dev.git --config core.autocrfl=input
cd vault-local-dev

Let’s take a look at what is inside this repository. The docker-compose.yml file looks like

It basically describes two services — vault and consul and network between them. The Vault depends on Consul services. We have to add capabilities for Vaultcap_add:
 - IPC_LOCK

because Vault need to do some system calls

Let’s start our services with the next commanddocker compose up -d

We just get a vanilla cluster. Congrats!
Now we should set two environment variablesexport VAULT_ADD='https://127.0.0.1:8080'
export VAULT_CACERT="${PWD}/certs/ca.crt"

We are going to use our binary installation of the Vault and Consul as clients for Vault and Consul running inside containers

The Consul container does not persist ANY data, because it is in DEV mode. Actually, Vault supports a lot of storage like PostgreSQL, File system, S3

After starting Vault we have to initialize our Vault. We should determine how many keys are required to unlock Vault.vault operator init --key-shares=5 --key-threshold=3

Note: You should securely store the unseal keys and initial root token. They can not be recovered if they are lost.

Now we have to unseal our Vault, we can do it by the next commandvault operator unseal

After this terminal will prompt you to enter a unseal key

And if you enter the correct unseal keys you will see something like this

Repeat this unseal process until you get

Take a look at the row with Sealed now it is false

Now we can log in to the Vault by the next commandvault login

Enter a root token and you will see something like this

One of the greatest features of the Consul is saving backups and restoring them by simple commandsconsul snapshot save backups/vault-consul-backup

The snapshots or backups were also encrypted making them useless for anyone to get it.

Let’s talk about secret engines:

• Key-value storage engine
• Cubby hole storage engine

A lot more secret types can be found in the documentation of Vault

The secrets are isolated and have access to only their data

Okay, now we would like to get all types of secrets inside our Vault. We can do it by the next commandvault secrets list

These endpoints cannot be disabled or moved

• The cubbyhole secrets engine is used to store arbitrary secrets within the configured physical storage for Vault namespace to a token. In the cubbyhole, paths are scoped per token. No token can access another token’s cubbyhole. When the token expires, its cubbyhole destroyed
• The identity secrets engine is the identity management solution for Vault. It internally maintains the clients who are recognized by Vault
• The system backend is a default backend in Vault that is mounted at the /sys endpoint. This endpoint is used to configure Vault and interact with many of Vault’s internal feature

Now we are going enabled audit on our Vault

Now let’s try to start interacting with our Vault — we need to create a token. We can do it by the next commandvault token create -use-limit=2 -renewable=false -display-name=uselimit

Okay the first three words don’t need explanation I think, but the flags should be described-use-limit= integer number | How many times we can use this token
-renewable= false|true | Is it renewable token
-display-name= Name of this token which will be shown

Let’s try to store our secretVAULT_TOKEN="s.AFXfi8zrkI8VR78tm6ow7LTp" vault write cubbyhole/oursecret password=12345

Now let’s get back our secret from the Vaultvault read cubbyhole/oursecret

Oh no! We are got an error. The cause of the error is that we don’t provide Vault token. Let’s fix this and try to get back our secret from the Vault

If we tried to read one more time we got another error

It has happened because we reached our limit, remember -use-limit=2 flag?

Let’s try one more operation with tokens. We can have a time limit tokenvault token create -explicit-max-ttl=2m -renewable=false -display-name=timelimit

After two minutes

Now let’s turn on key-value backend of the Vault

Policies

Let’ talk about policy — by default exists two policies — default and root. We can list policies by the next commandvault policy list

Now let’s read one of this policies — we can do it by the next commandvault policy read default

Actually we cannot read root policy

Let’s create a new one policy from our file which situated at config/vault/policies/mypolicy-kv.hcl

We can read it by can get content of this file by simply using cat command or via vim editor.

For uploading our policy to Vault please use next commandvault policy write kv-no-delete config/vault/policies/mypolicy-kv.hcl

Now we can create a token with this policyvault token create -policy=kv-no-delete -display-name=myuser

Move on, and lets log in to Vault with created token

As you can see under this token we don’t have access to the paths likesecret/data/dev

But we can actually get our capabilities with right one pathvault token capabilities secret/data/dev/myteam

Let’s put our first secret inside key-value storagevault kv put secret/dev/myteam/myservice first-value=sup3r

After it we can simply get our secret from the storagevault kv get secret/dev/myteam/myservice

Here we go it look at the Terminal

We can simply overwrite the secret within put operation

Actually we can do put more than one secret at the same time (nothing unusual)vault kv put secret/dev/myteam/myservice first-value=medium second-value=.com

We can get some version of secrets for this we can simply ise this comandvault kv get -version=2 secret/dev/myteam/myservice

But if we try to delete our secret path we get error because it is prohibited by our policy

But we can delete our secret if we log in under the root token. We can create secrets from the file. Let’s take a loo at example below. Here is our secret in JSON

Now we can put this json inside into vault by next comandvault kv put secret/dev/myteam/myotherservice @./config/vault/data/data.json

After it we can simply get it from the vault

Thank you for reading this article!
Please follow to get more interesting information!
I hope this article was helpful for you!