HashiCorp Vault  on  AWS

HashiCorp Vault on AWS

Hey everyone! Today we're gonna see about deploying the HashiCorp vault on AWS. Before diving into that, let me ask you a question. Do you think security is important when you move your infra from on-premises to a Dynamic or cloud environment?

Of course, to me as well, it means a lot because we don't know who might misuse our resources. But don't worry here comes a tool by HashiCorp called HashiCorp Vault.

It is used to store, secure and tightly control access to tokens, passwords, certificates, and encryption keys for protecting secrets and other data using a UI, CLI or HTTP API.


Installation of the vault on the Ubuntu instance

Pre-requisites:

  • Ubuntu 20.04 LTS with root access to run commands

  • apt-get or apt utility installed on your server

  • curl, apt-key and apt-add-repository utility installed on your server


Steps:

  • Add the HashiCorp GPG key using the below command

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
  • Add the repository

To download the HashiCorp vault package, the repo needs to add to the /etc/apt/sources.list file. This can be done with a utility called apt-add-repository. The below adds the repository information.

apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
  • Update the server
apt update
  • Install the vault
apt install vault -y
=====================

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  vault
0 upgraded, 1 newly installed, 0 to remove and 28 not upgraded.
Need to get 85.0 MB of archives.
After this operation, 214 MB of additional disk space will be used.
Get:1 https://apt.releases.hashicorp.com focal/main amd64 vault amd64 1.12.3-1 [85.0 MB]
Fetched 85.0 MB in 1s (76.6 MB/s)
Selecting previously unselected package vault.
(Reading database ... 61835 files and directories currently installed.)
Preparing to unpack .../vault_1.12.3-1_amd64.deb ...
Unpacking vault (1.12.3-1) ...
Setting up vault (1.12.3-1) ...
Generating Vault TLS key and self-signed certificate...
Generating a RSA private key
  • Check the vault version
vault --version

root@ip-:/home/ubuntu# vault --version
Vault v1.12.3 (209b3dd99fe8ca320340d08c70cff5f620261f9b), built 2023-02-02T09:07:27Z
  • Check the vault configuration

Edit the configuration file using the vi editor, if vi is not installed, install the vim editor. By default, the IP address is set to listen at 0.0.0.0:8200. This enables us to access the vault using a locally set IP address. We can change the configuration and IP address as required.

vi /etc/vault.d/vault.hcl
========================

# Full configuration options can be found at https://www.vaultproject.io/docs/configuration

ui = true

#mlock = true
#disable_mlock = true

storage "file" {
  path = "/opt/vault/data"
}

#storage "consul" {
#  address = "127.0.0.1:8500"
#  path    = "vault"
#}

# HTTP listener
#listener "tcp" {
#  address = "127.0.0.1:8200"
#  tls_disable = 1
#}

# HTTPS listener
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file  = "/opt/vault/tls/tls.key"
}

# Enterprise license_path
# This will be required for enterprise as of v1.8
#license_path = "/etc/vault.d/vault.hclic"
  • Start the vault service
systemctl start vault

Check the status of the vault service

systemctl status vault
====================

root@ip-:/home/ubuntu# systemctl status vault
● vault.service - "HashiCorp Vault - A tool for managing secrets"
     Loaded: loaded (/lib/systemd/system/vault.service; disabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-02-07 02:07:23 UTC; 5s ago
       Docs: https://www.vaultproject.io/docs/
   Main PID: 2527 (vault)
      Tasks: 7 (limit: 1143)
     Memory: 88.2M
     CGroup: /system.slice/vault.service
             └─2527 /usr/bin/vault server -config=/etc/vault.d/vault.hcl

Interacting With Vault

Vault provides several mechanisms for interacting with it:

  • The Vault CLI

  • The Vault UI

  • The Vault API


Some Basic Vault CLI Commands

  • vault by itself will give you a list of many Vault CLI commands.

    • The list starts with the most common ones.
  • vault version tells you the version of Vault you are running.

  • vault read is used to read secrets from Vault.

  • vault write is used to write secrets to Vault.

The -h, -help, and --help flags can be added to get help for any Vault CLI command.


Vault UI

Login via your IP:
https://<Your IP addr>:8200/

Let's give total key shares as 5 and key threshold as 3 and initialize.

You will be provided with an initial root token and keys (total key shares). Copy them all and save them at a safe location. These root token and keys will be used to unseal the vault.

Enter any 3 keys one by one to unseal the vault.

After unsealing, sign in using the root token.

Enable new engine

There are multiple secrets Engines provided by Vault. Select which you require and enable it. To start with you can enable KV (Key-Value) secret engine.


Policies:

Policies are typically used to define permissions in the HashiCorp vault.

You can use multiple options for policy assignments. These are;

  • Token: You can assign a policy to a token when created.

  • Identity: You can assign a policy to an entity via the identity secret engine.

  • Auth methods: Policy can be applied via an auth method.

You can assign multiple policies at the same time. The most specific policy rules always win.

Assign the policy to the specific path
path “secret/db/mysql”

Assign the policy to multiple paths

  • Path1: secret/db/app1

  • Path2: secret/db/app2/keys

  • Path3: secret/db/app3/configs

path “secret/db/app*

Deny permissions to specific file/folder:

path "secret/*" {

  capabilities = ["list", "read"]

}

path "secret/db/*" {

  capabilities = ["deny"]
}

You can include other permissions in capabilities like ["create", "read", "update", "patch", "delete", "list"] as per your requirement.


Create users and assign them the policies:

You need to enable the userpass auth mechanism for creating users with their passwords. You can do this from Access bar at the top. Later you can create users and assign them the desired created policies. You can set TTL session for users as well, they will be logged out after that particular session from the vault.


I hope this article was useful to you to get to know the working of Hashicorp vault in simple way and to get started with it. There's so much you can do with Hashicorp vault. Later will try to post other articles if possible. This is based on my own internet research and trying out the things practically. Please go through the official documentation to get more details.

Official Documentation Ref : https://developer.hashicorp.com/vault/docs

Important Note: If you want to use it for production environment, please make important changes to configuration file like (storage, IP and other required configurations) and setup for production as suggested by Hashicorp.


"You are not a drop in the Ocean, You are the entire ocean, in a drop."
- Rumi

Aaqib Ahmad
DevOps Engineer

https://www.linkedin.com/in/aaqib-ahmad-872a2613b