HashiCorp vault
Install the official Vault formula from the terminal.
Install the HashiCorp tap, a repository of all our Homebrew packages
~ % brew tap hashicorp/tap
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 2 taps (homebrew/core and homebrew/cask).
==> New Formulae
python-tk@3.9 rosa-cli
==> Updated Formulae
Updated 68 formulae.
==> Updated Casks
Updated 128 casks.
==> Tapping hashicorp/tap
Cloning into '/usr/local/Homebrew/Library/Taps/hashicorp/homebrew-tap'...
remote: Enumerating objects: 181, done.
remote: Counting objects: 100% (181/181), done.
remote: Compressing objects: 100% (109/109), done.
remote: Total 993 (delta 94), reused 151 (delta 72), pack-reused 812
Receiving objects: 100% (993/993), 195.37 KiB | 1.48 MiB/s, done.
Resolving deltas: 100% (514/514), done.
Tapped 1 cask and 8 formulae (45 files, 286.0KB).
Now, install Vault with hashicorp/tap/vault.
~ % brew install hashicorp/tap/vault
==> Installing vault from hashicorp/tap
==> Downloading https://releases.hashicorp.com/vault/1.7.0/vault_1.7.0_darwin_am
######################################################################## 100.0%
==> Caveats
To have launchd start hashicorp/tap/vault now and restart at login:
brew services start hashicorp/tap/vault
Or, if you don't want/need a background service you can just run:
vault server -dev
==> Summary
🍺 /usr/local/Cellar/vault/1.7.0: 4 files, 188.7MB, built in 10 seconds
To update to the latest, run
~ % brew upgrade hashicorp/tap/vault
Warning: hashicorp/tap/vault 1.7.0 already installed
Verifying the Installation
Open a new terminal session and check the vault binary is available. By executing vault:
~ % vault
Usage: vault <command> [args]
Common commands:
read Read data and retrieves secrets
write Write data, configuration, and secrets
delete Delete secrets and configuration
list List data or secrets
login Authenticate locally
agent Start a Vault agent
server Start a Vault server
status Print seal and HA status
unwrap Unwrap a wrapped secret
Other commands:
audit Interact with audit devices
auth Interact with auth methods
debug Runs the debug command
kv Interact with Vault's Key-Value storage
lease Interact with leases
monitor Stream log messages from a Vault server
namespace Interact with namespaces
operator Perform operator-specific tasks
path-help Retrieve API help for paths
plugin Interact with Vault plugins and catalog
policy Interact with policies
print Prints runtime configurations
secrets Interact with secrets engines
ssh Initiate an SSH session
token
Install Vault Dev Server
Vault operates as a client/server application. The Vault server is the only piece of the Vault architecture that interacts with the data storage and backends. All operations done via the Vault CLI interact with the server over a TLS connection.
You will start and interact with the Vault server running in development mode.
Starting the Dev Server
First, start a Vault dev server. The dev server is a built-in, pre-configured server that is not very secure but useful for playing with Vault locally
To start the Vault dev server, run:
~ % vault server -dev
==> Vault server configuration:
Api Address: http://127.0.0.1:8200
Cgo: disabled
Cluster Address: https://127.0.0.1:8201
Go Version: go1.15.10
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: false, enabled: false
Recovery Mode: false
Storage: inmem
Version: Vault v1.7.0
Version Sha: 4e222b85c40a810b74400ee3c54449479e32bb9f
==> Vault server started! Log data will stream in below:
2021-03-27T17:32:18.578+0530 [INFO] proxy environment: http_proxy= https_proxy= no_proxy=
2021-03-27T17:32:18.579+0530 [WARN] no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2021-03-27T17:32:18.581+0530 [INFO] core: security barrier not initialized
2021-03-27T17:32:18.582+0530 [INFO] core: security barrier initialized: stored=1 shares=1 threshold=1
2021-03-27T17:32:18.583+0530 [INFO] core: post-unseal setup starting
2021-03-27T17:32:18.594+0530 [INFO] core: loaded wrapping token key
2021-03-27T17:32:18.594+0530 [INFO] core: successfully setup plugin catalog: plugin-directory=
2021-03-27T17:32:18.594+0530 [INFO] core: no mounts; adding default mount table
2021-03-27T17:32:18.597+0530 [INFO] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2021-03-27T17:32:18.598+0530 [INFO] core: successfully mounted backend: type=system path=sys/
2021-03-27T17:32:18.602+0530 [INFO] core: successfully mounted backend: type=identity path=identity/
2021-03-27T17:32:18.604+0530 [INFO] core: successfully enabled credential
<
truncated ...
......
.....
>
2021-03-27T17:32:18.627+0530 [INFO] secrets.kv.kv_130f10df: upgrading keys finished
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variable:
$ export VAULT_ADDR='http://127.0.0.1:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Development mode should NOT be used in production installations!
Verify the vault Server is Running
Run the vault status command.
~ % vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.7.0
Storage Type inmem
Cluster Name vault-cluster-43d1efcb
Cluster ID 7b7da705-446a-a3ac-2007-799a19158d4f
HA Enabled false
Examples:
Writing a Secret
Let's write a secret to Key/Value v2 secrets engine when running a dev server. Use the vault kv put <path> <key>=<value> command
~ % vault kv put secret/hello foo=world
Key Value
--- -----
created_time 2021-03-27T12:15:20.309852Z
deletion_time n/a
destroyed false
version 1
This writes the pair foo=world to the path secret/hello. You'll learn paths in more detail later, but for now it is important that the path is prefixed with secret/, otherwise this example won't work. The secret/ prefix is where arbitrary secrets can be read and written.
You can even write multiple pieces of data
~ % vault kv put secret/hello foo=world excited=yes
Key Value
--- -----
created_time 2021-03-27T12:15:56.75499Z
deletion_time n/a
destroyed false
version 2
Notice that the version is now 2. The vault kv put command creates a new version of the secrets and replaces any pre-existing data at the path if any.
Getting a Secret
As you might expect, secrets can be retrieved with vault kv get <path>
~ % vault kv get secret/hello
====== Metadata ======
Key Value
--- -----
created_time 2021-03-27T12:15:56.75499Z
deletion_time n/a
destroyed false
version 2
===== Data =====
Key Value
--- -----
excited yes
foo world
Optional JSON output is very useful for scripts. For example, you can use the jq tool to extract the value of the excited secret
~ % vault kv get -field=excited secret/hello
yes
HashiCorp Dynamic Secrets Notes
Enable the AWS secrets engine
Unlike the kv secrets engine which is enabled by default, the AWS secrets engine must be enabled before use. This step is usually done via a configuration management system
$ vault secrets enable -path=aws aws
The AWS secrets engine is now enabled at aws/. Different secrets engines allow for different behavior. In this case, the AWS secrets engine generates dynamic, on-demand AWS access credentials
Configure the AWS secrets engine
After enabling the AWS secrets engine, you must configure it to authenticate and communicate with AWS. This requires privileged AWS account credentials.
Set an AWS_ACCESS_KEY_ID environment variable to hold your AWS access key ID.
$ export AWS_ACCESS_KEY_ID=<aws_access_key_id>
Set an AWS_SECRET_ACCESS_KEY environment variable to hold your AWS secret access key.
$ export AWS_SECRET_ACCESS_KEY=<aws_secret_key>
Configure the AWS secrets engine.
$ vault write aws/config/root \
access_key=$AWS_ACCESS_KEY_ID \
secret_key=$AWS_SECRET_ACCESS_KEY \
region=us-east-1
Success! Data written to: aws/config/root
Comments
Post a Comment