Open in app

Sign in

Write

Sign in

HashiCorp Vault | Getting started

Yegor Voronyansky
7 min readFeb 23, 2022

Hi, there! It is a text version of the Vault webinar

Let’s go!

First of all, we have to download Vault or install it via your favorite packet manager. You can download the latest version of Vault from the official website — https://www.vaultproject.io/downloads

Or simply install it via brew

brew tap hashicorp/tap
brew install hashicorp/tap/vault

After successful installation, we can check that Vault in the PATH

Also, we need docker for this tutorial, I hope you have already installed it earlier

In this tutorial, we are going to use Consul as the backend for our Vault. The Consuls is basically key-value storage

brew tap hashicorp/tap
brew install hashicorp/tap/consul

After this, we can check that installation was successful

Now we have to clone the repo — we can do it by the next command

git clone https://github.com/spkane/vault-local-dev.git --config core.autocrfl=input
cd vault-local-dev

Let’s take a look at what is inside this repository. The docker-compose.yml file looks like

It basically describes two services — vault and consul and network between them. The Vault depends on Consul services. We have to add capabilities for Vault

cap_add:
  - IPC_LOCK

because Vault need to do some system calls

Let’s start our services with the next command

docker compose up -d
Downloading images and starting containers

We just get a vanilla cluster. Congrats!
Now we should set two environment variables

export VAULT_ADD='https://127.0.0.1:8080'
export VAULT_CACERT="${PWD}/certs/ca.crt"

We are going to use our binary installation of the Vault and Consul as clients for Vault and Consul running inside containers

The Consul container does not persist ANY data, because it is in DEV mode. Actually, Vault supports a lot of storage like PostgreSQL, File system, S3

After starting Vault we have to initialize our Vault. We should determine how many keys are required to unlock Vault.

vault operator init --key-shares=5 --key-threshold=3

Note: You should securely store the unseal keys and initial root token. They can not be recovered if they are lost.

Now we have to unseal our Vault, we can do it by the next command

vault operator unseal

After this terminal will prompt you to enter a unseal key

And if you enter the correct unseal keys you will see something like this

Repeat this unseal process until you get

Take a look at the row with Sealed now it is false

Now we can log in to the Vault by the next command

vault login

Enter a root token and you will see something like this

Logged in

One of the greatest features of the Consul is saving backups and restoring them by simple commands

consul snapshot save backups/vault-consul-backup

The snapshots or backups were also encrypted making them useless for anyone to get it.

Let’s talk about secret engines:

  • Key-value storage engine
  • Cubby hole storage engine

A lot more secret types can be found in the documentation of Vault

The secrets are isolated and have access to only their data

Okay, now we would like to get all types of secrets inside our Vault. We can do it by the next command

vault secrets list

These endpoints cannot be disabled or moved

  • The cubbyhole secrets engine is used to store arbitrary secrets within the configured physical storage for Vault namespace to a token. In the cubbyhole, paths are scoped per token. No token can access another token’s cubbyhole. When the token expires, its cubbyhole destroyed
  • The identity secrets engine is the identity management solution for Vault. It internally maintains the clients who are recognized by Vault
  • The system backend is a default backend in Vault that is mounted at the /sys endpoint. This endpoint is used to configure Vault and interact with many of Vault’s internal feature

Now we are going enabled audit on our Vault

Now let’s try to start interacting with our Vault — we need to create a token. We can do it by the next command

vault token create -use-limit=2 -renewable=false -display-name=uselimit

Okay the first three words don’t need explanation I think, but the flags should be described

-use-limit= integer number | How many times we can use this token
-renewable= false|true | Is it renewable token
-display-name= Name of this token which will be shown

Let’s try to store our secret

VAULT_TOKEN="s.AFXfi8zrkI8VR78tm6ow7LTp" vault write cubbyhole/oursecret password=12345

Now let’s get back our secret from the Vault

vault read cubbyhole/oursecret

Oh no! We are got an error. The cause of the error is that we don’t provide Vault token. Let’s fix this and try to get back our secret from the Vault

If we tried to read one more time we got another error

It has happened because we reached our limit, remember -use-limit=2 flag?

Let’s try one more operation with tokens. We can have a time limit token

vault token create -explicit-max-ttl=2m -renewable=false -display-name=timelimit

After two minutes

Now let’s turn on key-value backend of the Vault

Policies

Let’ talk about policy — by default exists two policies — default and root. We can list policies by the next command

vault policy list

Now let’s read one of this policies — we can do it by the next command

vault policy read default

Actually we cannot read root policy

Let’s create a new one policy from our file which situated at config/vault/policies/mypolicy-kv.hcl

We can read it by can get content of this file by simply using cat command or via vim editor.

For uploading our policy to Vault please use next command

vault policy write kv-no-delete config/vault/policies/mypolicy-kv.hcl

Now we can create a token with this policy

vault token create -policy=kv-no-delete -display-name=myuser

Move on, and lets log in to Vault with created token

As you can see under this token we don’t have access to the paths like

secret/data/dev

But we can actually get our capabilities with right one path

vault token capabilities secret/data/dev/myteam

Let’s put our first secret inside key-value storage

vault kv put secret/dev/myteam/myservice first-value=sup3r

After it we can simply get our secret from the storage

vault kv get secret/dev/myteam/myservice

Here we go it look at the Terminal

We can simply overwrite the secret within put operation

Actually we can do put more than one secret at the same time (nothing unusual)

vault kv put secret/dev/myteam/myservice first-value=medium second-value=.com

We can get some version of secrets for this we can simply ise this comand

vault kv get -version=2 secret/dev/myteam/myservice

But if we try to delete our secret path we get error because it is prohibited by our policy

But we can delete our secret if we log in under the root token. We can create secrets from the file. Let’s take a loo at example below. Here is our secret in JSON

Now we can put this json inside into vault by next comand

vault kv put secret/dev/myteam/myotherservice @./config/vault/data/data.json

After it we can simply get it from the vault

Thank you for reading this article!
Please follow to get more interesting information!
I hope this article was helpful for you!

Vault
DevOps
Java
Spring Boot

--

--

Yegor Voronyansky

Written by Yegor Voronyansky

66 Followers

I am a Software Engineer, JVM enthusiast, cat - lover, part-time surfer.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams