Introduction to HashiCorp Vault

HashiCorp Vault is a tool designed for securely accessing secrets, such as API keys, passwords, and certificates. It provides a unified interface to access and manage secrets dynamically.

Basic Vault Commands

1. Starting Vault Server

Before running Vault commands, you need to start the Vault server. For development, the following command can be used:

vault server -dev

This runs Vault in “dev mode” which is not recommended for production but useful for quick testing.

2. Initialize Vault

Vault initialization creates the master key and recovery key. This must be done before unsealing the Vault.

vault operator init

This outputs several unseal keys and a root token. The root token is used for initial authentication, and the unseal keys are needed to unseal the Vault after initialization.

3. Unseal Vault

After initialization, you must unseal Vault using the vault operator unseal command:

vault operator unseal <unseal_key>

Repeat this command with at least 3 different unseal keys to fully unseal Vault.

4. Login to Vault

Once Vault is unsealed, you need to authenticate using the root token or other authentication methods (like LDAP, AppRole).

vault login <root_token>

5. Storing Secrets

Vault allows you to store secrets. Here’s how to store a key-value secret:

vault kv put secret/my-secret username="admin" password="P@ssw0rd"

6. Retrieving Secrets

To retrieve a secret:

vault kv get secret/my-secret

To only display the value of the secret:

vault kv get -field=password secret/my-secret

7. Listing Secrets

To list the secrets stored in a path:

vault kv list secret/

8. Deleting Secrets

To delete a secret:

vault kv delete secret/my-secret

9. Creating a New Policy

Policies define what users and applications can access in Vault. You can write policies in HCL (HashiCorp Configuration Language).

Here’s an example policy named read-secrets.hcl:

path "secret/data/*" {
  capabilities = ["read", "list"]
}

To add the policy to Vault:

vault policy write read-secrets read-secrets.hcl

10. Enabling Authentication Method

To allow users to authenticate using various methods like AppRole or LDAP, you need to enable the appropriate auth method.

For enabling userpass authentication:

vault auth enable userpass

11. Creating a User with Userpass Authentication

To create a user with username and password authentication:

vault write auth/userpass/users/johndoe password="strongpassword" policies="read-secrets"

12. Generating Dynamic Secrets

Vault can generate secrets dynamically, such as database credentials. First, you need to configure a database secret engine. Here’s an example for PostgreSQL:

vault secrets enable database

vault write database/config/my-postgresql-database \
  plugin_name=postgresql-database-plugin \
  allowed_roles="readonly" \
  connection_url="postgresql://username:password@localhost:5432/mydb?sslmode=disable"

vault write database/roles/readonly \
  db_name=my-postgresql-database \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}';" \
  default_ttl="1h" \
  max_ttl="24h"

To generate credentials:

vault read database/creds/readonly

Common Use Cases

1. Rotating Database Credentials

Vault can dynamically create and revoke database credentials based on predefined roles, ensuring that credentials are rotated regularly for better security.

vault lease revoke database/creds/readonly/lease-id

2. Enabling Transit Secrets Engine

Vault’s transit engine provides encryption as a service. You can use this engine to encrypt and decrypt data without storing it.

To enable the transit secrets engine:

vault secrets enable transit

Create a key for encryption:

vault write -f transit/keys/my-encryption-key

To encrypt data:

vault write transit/encrypt/my-encryption-key plaintext=$(base64 <<< "My Secret Data")

To decrypt data:

vault write transit/decrypt/my-encryption-key ciphertext=<ciphertext>

Wrapping Up

This guide provides a solid foundation for using HashiCorp Vault commands in daily DevOps operations. By leveraging Vault’s powerful command line interface, you can manage secrets, configure dynamic secrets, and enhance the security posture of your infrastructure.