Getting started with Hashicorp Vault


Hashicorp Vault is a secrets management tool that allows organizations store secrets that will be used by users or applications in a safely way. A secret can not only be a password but also an SSL certificate, SSH key, API key, etc.

You can integrate Vault with multiple cloud providers such as AWS, GCP and Azure where all your secrets will be stored in one central place. It has a REST API that makes it possible to easily integrate Vault in your applications regardless of which language or platform you’re using. Available libraries for most popular languages can be found here: https://www.vaultproject.io/api/libraries

During this tutorial we will do the following:

  • Create a user and a policy
  • Authenticate and enable methods
  • Create a secret and read a secret

A Vault server and the Vault command line tool is need for this tutorial. It can be downloaded here: https://www.vaultproject.io/downloads


Get started

To keep it simple, let’s imagine John Doe wants to store the password of his e-mail account in the Vault.

Run the following docker command if you don’t have a Vault server and want to run your own Vault server locally.

$ docker run --cap-add=IPC_LOCK -d --name=dev-vault vault


There are many ways to authenticate to the Vault. We will first authenticate as an admin to create a user in Vault that will have a security policy attached to it.

Initialize these authentication environment variables to be able to use the Vault command line tool

$ export VAULT_TOKEN="s.Ga5jyNq6kNfRMVQk2LY1j9iu"

$ export VAULT_ADDR=https://yourvaultserver.com/


First create a policy file named johndoe-policy.hcl that allows John only to access the secret.

path "secret/johndoe " {

capabilities = ["create", "read", "update", "delete", "list"]


Load the policy

$ vault policy write johndoe johndoe-policy.hcl

Enable the username and password authentication method

$ vault auth enable userpass

Create the user and bind the previously created policy

$ vault write auth/userpass/users/johndoe password=Th@tS53c3t* policies=johndoe

Enable the key-value secret method that will be used later

$ vault secrets enable kv

Now, login as the johndoe user

$ vault login -method=userpass username=johndoe password=Th@tS53c3t*


Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run « vault login »
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  s.Rmqk4jafb1iCyFMdqRW1YrE4
token_accessor         UtDrEShzuJI5wV43xS0j0HpJ
token_duration         768h
token_renewable        true
token_policies         ["default" "johndoe"]
identity_policies      []
policies               ["default" "johndoe"]
token_meta_username    johndoe


Once logged in, the token can be used in an API request when using the REST API directly. Now create a secret and read it.

$ vault kv put secret/johndoe email_password=M@ilP@$$W0rd

If a secret would be created in another path, a permission denied error will be given because of the security policy that was applied to the johndoe user.

$ vault kv get secret/johndoe
====== Metadata ======
Key              Value
---              -----
created_time     2021-04-06T09:22:32.9678209Z
deletion_time    n/a
destroyed        false
version          1

========= Data =========
Key               Value
---               -----
email_password    M@ilP@664W0rd

You may also be interested in these news...