Introduction
Hashicorp Vault is a secrets management tool that allows organizations store secrets that will be used by users or applications in a safely way. A secret can not only be a password but also an SSL certificate, SSH key, API key, etc.
You can integrate Vault with multiple cloud providers such as AWS, GCP and Azure where all your secrets will be stored in one central place. It has a REST API that makes it possible to easily integrate Vault in your applications regardless of which language or platform you’re using. Available libraries for most popular languages can be found here: https://www.vaultproject.io/api/libraries
During this tutorial we will do the following:
- Create a user and a policy
- Authenticate and enable methods
- Create a secret and read a secret
A Vault server and the Vault command line tool is need for this tutorial. It can be downloaded here: https://www.vaultproject.io/downloads
Get started
To keep it simple, let’s imagine John Doe wants to store the password of his e-mail account in the Vault.
Run the following docker command if you don’t have a Vault server and want to run your own Vault server locally.
$ docker run --cap-add=IPC_LOCK -d --name=dev-vault vault
There are many ways to authenticate to the Vault. We will first authenticate as an admin to create a user in Vault that will have a security policy attached to it.
Initialize these authentication environment variables to be able to use the Vault command line tool
$ export VAULT_TOKEN="s.Ga5jyNq6kNfRMVQk2LY1j9iu" $ export VAULT_ADDR=https://yourvaultserver.com/
First create a policy file named johndoe-policy.hcl that allows John only to access the secret.
path "secret/johndoe " {
capabilities = ["create", "read", "update", "delete", "list"]
}Load the policy
$ vault policy write johndoe johndoe-policy.hcl
Enable the username and password authentication method
$ vault auth enable userpass
Create the user and bind the previously created policy
$ vault write auth/userpass/users/johndoe password=Th@tS53c3t* policies=johndoe
Enable the key-value secret method that will be used later
$ vault secrets enable kv
Now, login as the johndoe user
$ vault login -method=userpass username=johndoe password=Th@tS53c3t*
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run « vault login »
again. Future Vault requests will automatically use this token.
Key Value --- ----- token s.Rmqk4jafb1iCyFMdqRW1YrE4 token_accessor UtDrEShzuJI5wV43xS0j0HpJ token_duration 768h token_renewable true token_policies ["default" "johndoe"] identity_policies [] policies ["default" "johndoe"] token_meta_username johndoe
Once logged in, the token can be used in an API request when using the REST API directly. Now create a secret and read it.
$ vault kv put secret/johndoe email_password=M@ilP@$$W0rd
If a secret would be created in another path, a permission denied error will be given because of the security policy that was applied to the johndoe user.
$ vault kv get secret/johndoe
====== Metadata ====== Key Value --- ----- created_time 2021-04-06T09:22:32.9678209Z deletion_time n/a destroyed false version 1 ========= Data ========= Key Value --- ----- email_password M@ilP@664W0rd
