HashiCorp Vault is a tool designed for securely accessing secrets, such as API keys, passwords, and certificates. It provides a unified interface to access and manage secrets dynamically.
Basic Vault Commands
1. Starting Vault Server
Before running Vault commands, you need to start the Vault server. For development, the following command can be used:
vault server -dev
This runs Vault in “dev mode” which is not recommended for production but useful for quick testing.
2. Initialize Vault
Vault initialization creates the master key and recovery key. This must be done before unsealing the Vault.
vault operator init
This outputs several unseal keys and a root token. The root token is used for initial authentication, and the unseal keys are needed to unseal the Vault after initialization.
3. Unseal Vault
After initialization, you must unseal Vault using the vault operator unseal command:
vault operator unseal <unseal_key>
Repeat this command with at least 3 different unseal keys to fully unseal Vault.
4. Login to Vault
Once Vault is unsealed, you need to authenticate using the root token or other authentication methods (like LDAP, AppRole).
vault login <root_token>
5. Storing Secrets
Vault allows you to store secrets. Here’s how to store a key-value secret:
vault kv put secret/my-secret username="admin" password="P@ssw0rd"
6. Retrieving Secrets
To retrieve a secret:
vault kv get secret/my-secret
To only display the value of the secret:
vault kv get -field=password secret/my-secret
7. Listing Secrets
To list the secrets stored in a path:
vault kv list secret/
8. Deleting Secrets
To delete a secret:
vault kv delete secret/my-secret
9. Creating a New Policy
Policies define what users and applications can access in Vault. You can write policies in HCL (HashiCorp Configuration Language).
Here’s an example policy named read-secrets.hcl:
path "secret/data/*" {
capabilities = ["read", "list"]
}
To add the policy to Vault:
vault policy write read-secrets read-secrets.hcl
10. Enabling Authentication Method
To allow users to authenticate using various methods like AppRole or LDAP, you need to enable the appropriate auth method.
For enabling userpass authentication:
vault auth enable userpass
11. Creating a User with Userpass Authentication
To create a user with username and password authentication:
vault write auth/userpass/users/johndoe password="strongpassword" policies="read-secrets"
12. Generating Dynamic Secrets
Vault can generate secrets dynamically, such as database credentials. First, you need to configure a database secret engine. Here’s an example for PostgreSQL:
vault secrets enable database
vault write database/config/my-postgresql-database \
plugin_name=postgresql-database-plugin \
allowed_roles="readonly" \
connection_url="postgresql://username:password@localhost:5432/mydb?sslmode=disable"
vault write database/roles/readonly \
db_name=my-postgresql-database \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}';" \
default_ttl="1h" \
max_ttl="24h"
To generate credentials:
vault read database/creds/readonly
Common Use Cases
1. Rotating Database Credentials
Vault can dynamically create and revoke database credentials based on predefined roles, ensuring that credentials are rotated regularly for better security.
vault lease revoke database/creds/readonly/lease-id
2. Enabling Transit Secrets Engine
Vault’s transit engine provides encryption as a service. You can use this engine to encrypt and decrypt data without storing it.
To enable the transit secrets engine:
vault secrets enable transit
Create a key for encryption:
vault write -f transit/keys/my-encryption-key
To encrypt data:
vault write transit/encrypt/my-encryption-key plaintext=$(base64 <<< "My Secret Data")
To decrypt data:
vault write transit/decrypt/my-encryption-key ciphertext=<ciphertext>
Wrapping Up
This guide provides a solid foundation for using HashiCorp Vault commands in daily DevOps operations. By leveraging Vault’s powerful command line interface, you can manage secrets, configure dynamic secrets, and enhance the security posture of your infrastructure.
Further Reading
For more information, you can visit HashiCorp Vault Documentation.
This format will offer your readers useful insights along with practical examples. You can adjust it to fit your style or expand it with advanced use cases depending on your blog audience’s level of expertise.