HashiCorp Vault
Install and configure a self-managed HashiCorp Vault server for development and testing purposes.
Last Updated: 26 May 2022 • Page Author: Jillur Quddus
Overview
HashiCorp Vault is used to secure, store and control access to tokens, passwords, certificates, API keys and other secrets. This page provides instructions on how to install and configure a self-managed instance of HashiCorp Vault server for development and testing purposes only (i.e. non-production).
This page provides instructions on how to install and configure a self-managed instance of HashiCorp Vault server for development and testing purposes only. To configure a secure production-ready instance of HashiCorp Vault, please refer to the HashiCorp Vault documentation.
The instructions below are for Ubuntu 20.04. Installation instructions for other Linux distributions including Fedora, RHEL and Amazon Linux may be found at https://www.vaultproject.io/docs/install.
Installation
Please run the commands below via your command line to install the self-managed open-source version of HashiCorp Vault.
Configuration
Integrated Storage
By default HashiCorp Vault will use system memory to manage secrets. In order to deploy Vault using integrated disk-based storage so that secrets are retained between Vault server restarts, we shall create a Vault configuration file and define the absolute path in which to store Vault data. We shall also define the hostname and port on which Vault server will listen for requests. Please create the following configuration file in a location of your choosing, and update the storage
and listener
configuration namespaces relevant to your environment, in addition to the api_addr
and cluster_addr
properties respectively.
Starting Vault Server
Start the Server
To start Vault server using our custom configuration in config.hcl
, please run the following command via the command line:
Initialisation
We must initialise Vault before we can start using it. Initialisation only needs to be performed once for every new backend that has never been used with Vault before. We can initialise Vault either via the command line or via HTTP.
To initialise Vault via the command line, please run the following commands:
To initialise Vault via HTTP, please run the following commands via your command line, which is dependent on the curl
and jq
packages respectively.
Unsealing
Vault server starts in a sealed state which requires unsealing - a process by which Vault can decrypt the data stored in the backend. To unseal Vault, you must supply a certain number of unseal keys, where the number is defined by the key threshold (normally three - please see the output immediately after running the vault operator init
command). To supply one unseal key via the command line, please run the following command:
To supply one unseal key via HTTP, please run the following command:
Run the unseal command above (either via the CLI or HTTP) the required number of times to unseal the Vault. Once unsealed successfully, the Sealed
property in the output will change to false
.
KV Secrets Engine v2
POB expects the KV Secrets Engine Version 2 to be enabled. The KV secrets engine is used to store arbitrary secrets as key/value pairs. To enable the KV Secrets Engine Version 2 via the command line, please run the following command:
To enable the KV Secrets Engine Version 2 via HTTP, please run the following command:
Access Policies
We shall define a new custom access policy (called pob-policy
in our case, but you may name it anything you wish) to enable POB to create, read and update secrets at a custom path (in our case secret/data/pob/*
), as follows:
We shall then attach this newly created policy to a newly generated token (as follows). This token can then be used by POB (configured in the Spring bootstrap context) as part of token-based Vault authentication.
Managing Secrets
Environment Variables
To read and write secrets stored in our custom path, ensure that the VAULT_TOKEN
environment variable is set with the token that we attached our custom access policy to (see above). Also ensure that the VAULT_ADDR
environment variable is set with the Vault listener address. To persist these environment variables across environment restarts, you may wish to define them in your ~/.profile
file (or equivalent).
Writing Secrets
To write your very first secret to a custom path, such as secret/pob/development
(note that /data
is automatically inserted into the path i.e. secret/data/pob/development
), please run the following command via the command line:
Note that the PUT
verb is used to write the very first secret, as it overwrites all other secrets at that path. To add further secrets to the same path, please use the PATCH
verb as follows:
Reading Secrets
To read secrets from a custom path, such as secret/pob/development
, please use the GET
verb as follows:
To read a specific secret stored in a custom path given its key, please use the GET
verb along with the -field
property as follows:
Updating Secrets
To update a secret in a custom path, simply use the PATCH
verb using the same key, as follows:
Deleting Secrets
To delete secrets stored in custom path, please use the DELETE
verb as follows:
POB Context
To configure POB to load externalised variables defined in application.yml from HashiCorp Vault, please configure the spring.cloud.vault namespace in bootstrap.yml, as follows:
enabled
Whether to enable externalised configuration from HashiCorp Vault.
true
host
HashiCorp Vault hostname. The host name will be used for SSL certificate validation if required.
localhost
port
HashiCorp Vault port.
8200
scheme
Whether to use http or https.
http
authentication
Authentication mechanism to authorise client requests.
TOKEN
token
If using token-based authentication, then the static token to use. Note that the token should be set as an environmental variable and NOT stored as plaintext in bootstrap.yml. As described above, please use a token that has a policy attached to it that enables POB to read and write secrets at the required custom path.
${VAULT_TOKEN}
kv.enabled
Whether to enable the Key-Value secrets backend, supporting storage of arbitrary values as key-value store.
true
kv.backend
The path of the secret mount to use.
secret
kv.default-context
The context name used by all applications.
pob/development
For further information regarding configuring Spring Cloud Vault with secret backends, please visit https://cloud.spring.io/spring-cloud-vault/multi/multi_vault.config.backends.html.
Last updated