Vault installation using Docker:
sudo apt-get update # Update the apt package index
sudo apt-get install apt-transport-https ca-certificates curl software-properties-common # Install packages to allow apt to use a repository over HTTPS
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - # Add Docker’s official GPG key
sudo apt-get update # update the app index
sudo apt-get install docker-ce
vi -p path_to_vault/vault/config/local.json
{
“ui”:true,
“listener”: [{
“tcp”: {
“address”: “0.0.0.0:8200”,
“tls_disable” : 1
}
}],
“storage” :{
“file” : {
“path” : “/vault/data”
}
},
“max_lease_ttl”: “10h”,
“default_lease_ttl”: “10h”
}
# Run vault for development
sudo docker run –cap-add=IPC_LOCK -e ‘VAULT_DEV_ROOT_TOKEN_ID=myroot’ -e ‘VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:1234’ vault
# Run vault in server mode
sudo docker run -d -v path_to_vault/vault:/vault –cap-add IPC_LOCK -p 0.0.0.0:8200:8200 vault server
# Run vault without bind mount - Passing docker config via environment variable
sudo docker run -d –cap-add IPC_LOCK -p 0.0.0.0:8200:8200 -e ‘VAULT_LOCAL_CONFIG={ “ui”:true, “listener”: [{ “tcp”: { “address”: “0.0.0.0:8200”, “tls_disable” : 1 } }], “storage” :{ “file” : { “path” : “/vault/data” } }, “max_lease_ttl”: “10h”, “default_lease_ttl”: “10h” }’ vault server
ref: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
sudo docker exec -it containerid sh
export VAULT_ADDR=’http://127.0.0.1:8200’
vault init
vault status
# Unseal vault with any three of the five tokens generated
vault unseal unsealed_token
vault unseal unsealed_token
vault unseal unsealed_token
# Login to vault
vault login root-auth-token
vault auth list
vault policy list
vault secrets list
#Enable audit logs - Access Detection
vault audit enable file file_path=/vault/vault_audit.log
# Seal vault if system is compromised - Break Glass Procedure
vault seal
# Secrets Engine
vault write secret/mysql_database_credentials username=user1 password=userpasssword888
vault read secret/mysql_database_credentials
vault read -format=json secret/mysql_database_credentials
vault kv put secret/hello foo=world1
vault kv get secret/hello
vault kv delete secret/hello
# Writing data
vault kv put secret/password value=itsasecret
# STDIN
# JSON Object
echo -n ‘{“value”:”itsasecret”}’ | vault kv put secret/password -
# Read value directly from STDIN
echo -n “itsasecret” | vault kv put secret/password value=-
# Files
vault kv put secret/password @data.json
vault kv put secret/password value=@data.txt
# Reading Data
vault kv get secret/password
# Get specific version
vault kv get -version=2 secret/password
# Move secrets to a new path
vault secrets move secret/ hello/
# Create new secret path
vault secrets enable -path=newkv kv
# Operation on the new secret path
vault kv put newkv/my-secret my-value=s3cr3t
vault kv get newkv/my-secret
vault kv list newkv/
vault kv delete newkv/my-secret
vault secrets disable newkv
# List the paths under secret
vault kv list secret
# More use cases
vault kv put secret/my-secret my-value=s3cr3t
vault kv get secret/my-secret
vault kv get -version=1 secret/my-secret
vault kv delete secret/my-secret
vault kv undelete -versions=2 secret/my-secret
# Cubbyhole Secrets Engine
vault write cubbyhole/my-secret my-value=s3cr3t
vault read cubbyhole/my-secret
# Token Creation
vault token create
# Can set max usage and time limit in seconds
vault token create –use-limit=10 –ttl=30
# Transit Secrets Engine
vault secrets enable transit
# Create a named key
vault write -f transit/keys/my-key
# Pass the secret to be encrypted to transit with the named key end point
echo -n “my secret data” | base64 | vault write transit/encrypt/my-key plaintext=-
# To decrypt the ciphertext with the named key end point
vault write transit/decrypt/my-key ciphertext=vault:v1:W4nyf2UmzhxnhPy0b8pAPDEemp3mxviAbKJx8mC3RiGrKWVEHbHH2wPS | echo “bXkgc2VjcmV0IGRhdGE=” | base64 -d
vault secrets enable -path=aws aws
vault write aws/config/root \
access_key=AKIAI4SGLQPBX6CSENIQ \
secret_key=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
vault write aws/roles/my-role policy=-«EOF
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Stmt1426528957000”,
“Effect”: “Allow”,
“Action”: [
“ec2:”
],
“Resource”: [
“”
]
}
]
}
EOF
vault read aws/creds/my-role
vault lease revoke aws/creds/my-role/0bce0782-32aa-25ec-f61d-c026ff22106
sudo docker run –name mypostgres1 -e POSTGRES_PASSWORD=mysecretpassword -d -p 0.0.0.0:5432:5432 postgres
psql -h localhost -p 5432 -U postgres -W
create database mydb
vault secrets enable database
vault write database/config/mydb \
plugin_name=postgresql-database-plugin \
allowed_roles=”readonly” \
connection_url=”postgresql://postgres:mysecretpassword@172.27.14.125:5432/mydb?sslmode=disable”
vault write database/roles/readonly db_name=mydb creation_statements=”CREATE ROLE \”\” WITH LOGIN PASSWORD ‘’ VALID UNTIL ‘’; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \”\”; GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO \”\”;” \
default_ttl=1h max_ttl=24h
vault read database/creds/readonly
psql -h localhost -p 5432 -U temprole -d mydb -W
vault write secret/foo username=user1
curl \
-H “X-Vault-Token: 55wNSYUTJDQoezXZzj8tgzch” \
-X GET \
http://127.0.0.1:8200/v1/secret/foo
Vault HA and scalability
-> Vault supports multiple database backends like mysql, postgres, s3, etc. (For more info: https://www.vaultproject.io/docs/configuration/storage/index.html)
-> To increase the scalability of Vault with Consul, you should generally scale Consul instead of Vault
Enterprise vault:
Comparison with other vault
You’re one step closer to optimize your IT operations in the cloud.
