Getting Started with Vault


· ·

Like a kid with a shiny new toy, I have been waltzing around with Hashicorp’s Vault for a few weeks now. Vault is without a doubt one of Hashicorp’s most complicated and sophisticated tools yet. This post starts with an introduction to Vault and then goes on to explain two of Hashicorp’s recommended authentication backends.

Pre-Vault Ways of Storing Credentials:

  1. Storing in source code repositories
  2. Storing in text files (Blimey!)
  3. Distributing different credentials to different people, making it difficult to keep track of a user and revoke when he or she leaves an organisation

Enter Vault……

Vault is a single place of storage of all your secrets across all your environments, for all of your users. It also makes auditing your secrets easier, and if exposed, you can revoke them from a single point. Using Vault, you can also create dynamic credentials that are time-based (which can hopefully be covered in a different post).

Installing Vault

To bootstrap Vault:
Step 1: Begin by downloading and then unzipping the binary from:
Step 2: Create the Vault configuration file:

Step 3: Add Vault to the PATH and start Vault.
NOTE: Vault starts as a foreground process.

Initialising and Unsealing Vault

To start using Vault, you need to first initialise it and then unseal it. During initialisation, you generate keys. These consist of the master key, split keys, and a root token. The master key is typically split into multiple keys and shared among many users so that no one person is in charge of the master key. Keys are split using Shamir’s Secret Sharing Algorithm.

Initialising Vault allows you to specify the total number of key shares and the number of keys (key threshold) required to unseal the vault. Unsealing supplies the keys to Vault so Vault can decrypt encrypted data and start serving clients.

Initialise Vault with:

Vault initialized with 5 keys and a key threshold of 2. Please
securely distribute the above keys. When the vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.

Vault does not store the master key. Without at least 3 keys,
your vault will remain permanently sealed.

Now that Vault is unsealed, you just need to log in to start using it!
NOTE: Using a root token to authenticate the user is not best practice, but this is a post to get started, so….

Successfully authenticated! You are now logged in.

Console UI showing the unsealed status of Vault

Secrets Management Using Vault

Vault authentication happens only using tokens. Each token is assigned a policy that decides its action and path. Policies apply rules based on path matching. This is one of the major concepts behind Vault’s authentication process.

Now, based on the needs of your organisation and application, you can either manually assign these tokens or use one of Hashicorp’s recommended authentication backends. Below is a discussion on two of Hashicorp’s authentication backends: token-based and using the AWS backend.

Token-based Authentication

You can create new tokens using:

Note: If a token is deleted, you lose all the child tokens along with it, unless you specifically mention the token is an orphan (cliche’) token during creation, using:

AWS Backend

Vault allows for the dynamic creation of AWS IAM credentials with specific lease periods so that the application can either revoke a credential after use, or Vault will automatically delete the IAM credential after the lease expires.
Step 1: Mount the AWS backend:

Step: 2 Create an IAM policy:

Step 3: Create an AWS role based on the IAM role created in Step 2. (The example below also demonstrates how to make sure these credentials remain time-based by attaching a lease to the role.)

Step 4: Storing your AWS credentials with Vault—This can either be done by IAM auth method, or you can register the keys as shown below:

Here are a few helper scripts to get you started:

Do you think you can beat this Sweet post?

If so, you may have what it takes to become a Sweetcode contributor... Learn More.


Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *