Getting Started with Vault
How I configured vault, and the things I learned along the way
Attach An Elastic IP
First, you'll want to create and associate an Elastic IP address to the Vault server. You'll utilize this IP address to interact with the vault server as well as the GUI.
Create a A record in Route53 connecting the new Elastic IP to yournew domain name in my case it was vault.projectreclass.org
Install Vault
There will be many conflicting solutions to this especially since most guides are older and prompt you to install the zip file, this is not necessary. Simply follow the official guide for your OS/distribution.
Vault makes installation easy as long as you have a valid network connection no need to complicate it further than this.
Configure Vault
A default configuration should be autocreated for you in /etc/vault.d/vault.hcl
I like to start by copying this into a config.hcl
sudo cp /etc/vault.d/vault.hcl /etc/vault.d/config.hcl
Next, you'll update the config.hcl
to have the following:
# Full configuration options can be found at https://www.vaultproject.io/docs/configuration
ui = true # Enables the web interface
mlock = true
disable_mlock = true
storage "s3" { # Preferred backend is S3
bucket = "projectreclass-vault" # Bucket must already exist this is the name
region = "us-east-2" # Preferred region for production
}
#storage "consul" {
# address = "127.0.0.1:8500"
# path = "vault"
#}
# HTTP listener
#listener "tcp" {
# address = "127.0.0.1:8200"
# tls_disable = 1
#}
# HTTPS listener
listener "tcp" { # Always utilize https
address = "0.0.0.0:8200" # Listens on any IP on default vault port 8200
tls_cert_file = "/etc/letsencrypt/live/vault.projectreclass.org/fullchain.pem" #We'll get into how to create these certs later
tls_key_file = "/etc/letsencrypt/live/vault.projectreclass.org/privkey.pem"
}
# Example AWS KMS auto unseal
seal "awskms" { # unseals vault on start up
region = "us-east-2" # Our preferred production region
kms_key_id = "${YOUR_KMS_KEY_ID_GOES_HERE}"
}
# Example HSM auto unseal
#seal "pkcs11" {
# lib = "/usr/vault/lib/libCryptoki2_64.so"
# slot = "0"
# pin = "AAAA-BBBB-CCCC-DDDD"
# key_label = "vault-hsm-key"
# hmac_key_label = "vault-hsm-hmac-key"
#}
Create A Let's Encrypt Certificate
We need a certificate to enable SSL/TLS all vault communication should happen over HTTPS not HTTP this is how we accomplish that. To start you'll need the CLI tool certbot. The following is for an Ubuntu Image follow the official guide to install certbot for your distubution.
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
Next we'll create the actual certificate
sudo certbot certonly --standalone -d vault.example.com
And that's it the certificate and keys you'll need will be in the following location
Cert: /etc/letsencrypt/live/vault.example.com/fullchain.pem
PrivKey: /etc/letsencrypt/live/vault.example.com/privkey.pem
As you can see these are the same locations as configured in the config.hcl
file
Make Vault A Service
Before we start and initialize vault, we'll do some future planning by making it a service.
To do so create a file in /etc/systemd/system/
and create a file named vault.service
It should have the following configuration
[Unit]
Description=vault service # Name of the service
Requires=network-online.target # requires network connection
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/config.hcl # requires config.hcl file in /etc/vault.d/
[Service]
EnvironmentFile=-/etc/sysconfig/vault
Environment=GOMAXPROCS=2
Restart=on-failure
ExecStart=vault server -config=/etc/vault.d/config.hcl # Actual vault command executed
StandardOutput=/var/log/vault-output.log
StandardError=/var/log/vault-error.log
LimitMEMLOCK=infinity
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM
[Install]
WantedBy=multi-user.target
After this file is created you'll enable and start the service
sudo systemctl enable vault.service
sudo systemctl start vault.service
# To check if the service is running properly
sudo systemctl status vault.service
At this point vault is likely locked. To unlock it you'll need to enter 3 of the 5 keys it generates. This is the default behavior for vault. To obtain these keys run:
vault operator init
There are two main ways to enter the keys to unlock vault. The first is via the GUI. You should be able to access this by visiting the public IP address of the host machine on port 8200 (e.g. https://127.0.0.1:8200
)
Once Vault is unlocked it should be unlocked every time you start the config with the S3 backend, this is true even when new vault servers are created as long as they refer to the same backend.
You can login with the root token you generated previously. You should now be able to create, manage, and utilize secrets.
Last updated
Was this helpful?