How I configured vault, and the things I learned along the way
First, you'll want to create and associate an Elastic IP address to the Vault server. You'll utilize this IP address to interact with the vault server as well as the GUI.
Create a A record in Route53 connecting the new Elastic IP to yournew domain name in my case it was vault.projectreclass.org
There will be many conflicting solutions to this especially since most guides are older and prompt you to install the zip file, this is not necessary. Simply follow the official guide for your OS/distribution.
Vault makes installation easy as long as you have a valid network connection no need to complicate it further than this.
A default configuration should be autocreated for you in /etc/vault.d/vault.hcl I like to start by copying this into a config.hcl
This will maintain the original config which you can utilize as a reference later
Next, you'll update the config.hcl to have the following:
The above is the configuration for the server you'll start. Be sure to make the appropriate edits to the region, KMS KEY, and backend.
In order to access the Key Management Service and the S3 backend we've configured the Vault server will need access to both you'll configure this by attaching an IAM policy role to the server.
This guide may be useful if you've never created a role
We need a certificate to enable SSL/TLS all vault communication should happen over HTTPS not HTTP this is how we accomplish that. To start you'll need the CLI tool certbot. The following is for an Ubuntu Image follow the official guide to install certbot for your distubution.
Next we'll create the actual certificate
sudo certbot certonly --standalone -d vault.example.com
And that's it the certificate and keys you'll need will be in the following location
As you can see these are the same locations as configured in the config.hcl file
In order to create valid certs letsencrypt requires the ability to make and utilize a webserver, you'll need to enable at least port 80 in the security group for the server. In my case I enable ports: 80, 443, 8200, 22 for this configuration and removed ports 80, 443 post setup.
Before we start and initialize vault, we'll do some future planning by making it a service.
To do so create a file in /etc/systemd/system/ and create a file named vault.service It should have the following configuration
After this file is created you'll enable and start the service
If vault.service isn't running the status option on systemctl should provide more information. If that doesn't work run vault server -config=/etc/vault.d/config.hcl to get more info on the error. In addition, you can check the logs set in the vault.service file.
At this point vault is likely locked. To unlock it you'll need to enter 3 of the 5 keys it generates. This is the default behavior for vault. To obtain these keys run:
This will generate all 5 keys as well as a root token. Safe guard these as vault never knows the root key, nor does it track the 5 keys. You'll need to unlock vault. Once you have the keys utilized to unlock vault should be stored by the AWS Key Management System (KMS)
Keep the root token for initial login!
There are two main ways to enter the keys to unlock vault. The first is via the GUI. You should be able to access this by visiting the public IP address of the host machine on port 8200 (e.g. https://127.0.0.1:8200 )
Once Vault is unlocked it should be unlocked every time you start the config with the S3 backend, this is true even when new vault servers are created as long as they refer to the same backend.
You can login with the root token you generated previously. You should now be able to create, manage, and utilize secrets.