Github Project Reclass ToyNet

Getting Started with Vault

How I configured vault, and the things I learned along the way

Attach An Elastic IP

First, you'll want to create and associate an Elastic IP address to the Vault server. You'll utilize this IP address to interact with the vault server as well as the GUI.

Create a A record in Route53 connecting the new Elastic IP to yournew domain name in my case it was vault.projectreclass.org

Install Vault

There will be many conflicting solutions to this especially since most guides are older and prompt you to install the zip file, this is not necessary. Simply follow the official guide for your OS/distribution.

Vault makes installation easy as long as you have a valid network connection no need to complicate it further than this.

Configure Vault

A default configuration should be autocreated for you in /etc/vault.d/vault.hcl I like to start by copying this into a config.hcl

sudo cp /etc/vault.d/vault.hcl /etc/vault.d/config.hcl

This will maintain the original config which you can utilize as a reference later

Next, you'll update the config.hcl to have the following:

config.hcl
# Full configuration options can be found at https://www.vaultproject.io/docs/configuration

ui = true # Enables the web interface

mlock = true
disable_mlock = true

storage "s3" { # Preferred backend is S3
  bucket = "projectreclass-vault" # Bucket must already exist this is the name
  region = "us-east-2" # Preferred region for production
}

#storage "consul" {
#  address = "127.0.0.1:8500"
#  path    = "vault"
#}

# HTTP listener
#listener "tcp" {
#  address = "127.0.0.1:8200"
#  tls_disable = 1
#}

# HTTPS listener
listener "tcp" { # Always utilize https
  address       = "0.0.0.0:8200" # Listens on any IP on default vault port 8200
  tls_cert_file = "/etc/letsencrypt/live/vault.projectreclass.org/fullchain.pem" #We'll get into how to create these certs later
  tls_key_file  = "/etc/letsencrypt/live/vault.projectreclass.org/privkey.pem"
}

# Example AWS KMS auto unseal
seal "awskms" { # unseals vault on start up
  region = "us-east-2" # Our preferred production region
  kms_key_id = "${YOUR_KMS_KEY_ID_GOES_HERE}"
}

# Example HSM auto unseal
#seal "pkcs11" {
#  lib            = "/usr/vault/lib/libCryptoki2_64.so"
#  slot           = "0"
#  pin            = "AAAA-BBBB-CCCC-DDDD"
#  key_label      = "vault-hsm-key"
#  hmac_key_label = "vault-hsm-hmac-key"
#}

The above is the configuration for the server you'll start. Be sure to make the appropriate edits to the region, KMS KEY, and backend.

In order to access the Key Management Service and the S3 backend we've configured the Vault server will need access to both you'll configure this by attaching an IAM policy role to the server.

This guide may be useful if you've never created a role

Create A Let's Encrypt Certificate

We need a certificate to enable SSL/TLS all vault communication should happen over HTTPS not HTTP this is how we accomplish that. To start you'll need the CLI tool certbot. The following is for an Ubuntu Image follow the official guide to install certbot for your distubution.

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

Next we'll create the actual certificate

sudo certbot certonly --standalone -d vault.example.com

And that's it the certificate and keys you'll need will be in the following location

Cert: /etc/letsencrypt/live/vault.example.com/fullchain.pem
PrivKey: /etc/letsencrypt/live/vault.example.com/privkey.pem

As you can see these are the same locations as configured in the config.hcl file

In order to create valid certs letsencrypt requires the ability to make and utilize a webserver, you'll need to enable at least port 80 in the security group for the server. In my case I enable ports: 80, 443, 8200, 22 for this configuration and removed ports 80, 443 post setup.

Make Vault A Service

Before we start and initialize vault, we'll do some future planning by making it a service.

To do so create a file in /etc/systemd/system/ and create a file named vault.service It should have the following configuration

[Unit]
Description=vault service # Name of the service
Requires=network-online.target # requires network connection
After=network-online.target 
ConditionFileNotEmpty=/etc/vault.d/config.hcl # requires config.hcl file in /etc/vault.d/

[Service]
EnvironmentFile=-/etc/sysconfig/vault
Environment=GOMAXPROCS=2
Restart=on-failure
ExecStart=vault server -config=/etc/vault.d/config.hcl # Actual vault command executed
StandardOutput=/var/log/vault-output.log
StandardError=/var/log/vault-error.log
LimitMEMLOCK=infinity
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM

[Install]
WantedBy=multi-user.target

After this file is created you'll enable and start the service

sudo systemctl enable vault.service
sudo systemctl start vault.service
# To check if the service is running properly
sudo systemctl status vault.service

If vault.service isn't running the status option on systemctl should provide more information. If that doesn't work run vault server -config=/etc/vault.d/config.hcl to get more info on the error. In addition, you can check the logs set in the vault.service file.

At this point vault is likely locked. To unlock it you'll need to enter 3 of the 5 keys it generates. This is the default behavior for vault. To obtain these keys run: 

vault operator init

This will generate all 5 keys as well as a root token. Safe guard these as vault never knows the root key, nor does it track the 5 keys. You'll need to unlock vault. Once you have the keys utilized to unlock vault should be stored by the AWS Key Management System (KMS)

Keep the root token for initial login!

There are two main ways to enter the keys to unlock vault. The first is via the GUI. You should be able to access this by visiting the public IP address of the host machine on port 8200 (e.g. https://127.0.0.1:8200 )

Once Vault is unlocked it should be unlocked every time you start the config with the S3 backend, this is true even when new vault servers are created as long as they refer to the same backend.

You can login with the root token you generated previously. You should now be able to create, manage, and utilize secrets.

PreviousHello, Project ReclassNextWhat is a command?

Last updated