Vault by HashiCorp
Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, auditing, and provides secrets as a service through a unified API.

Today I’m going to talk HashiCorp Vault.  Vault is a secret manager that is very robust and works with many types of secrets from traditional username and password, api keys and even ssh keys.  Once we have Vault setup, we will be connecting it to AWX for all our secrets, which I’ll cover in a future post.  This one is just about setting up Vault.

I’ll be setting this up on a CentOS 8 box.  I won’t cover setting up certs in this post, but I will in a future post as it takes a bit more work.

First, we need to download the zip and get it extracted.  We are going to need 2 tools to do that, they may not be installed on your box so let’s install them.  You should be doing this as a non-root user as well.

sudo yum install wget unzip -y
Install wget and unzip

Next let’s download the vault zip.

wget https://releases.hashicorp.com/vault/1.3.2/vault_1.3.2_linux_amd64.zip
if you are reading this in the future make sure to grab the latest version from their site

Next let’s unzip the file and put it where it needs to be for execution.

unzip vault_1.3.2_linux_amd64.zip
sudo mv vault /usr/local/bin/
restorecon -rv /usr/local/bin/vault

Now let’s make sure it works and enable the handy tab completion.

vault –version
Vault v1.3.2

vault -autocomplete-install
exec $SHELL

Hopefully you are still with me and got similar output.  Next, we are going to create a vault account to run the service and the directories we need to store the configuration and the vault data

sudo useradd -r -d /etc/vault.d -m -s /bin/false vault
sudo mkdir -p /opt/vault/data
sudo chown -R vault:vault /opt/vault/

Now we need to setup the vault.service file so that we can use systemd to start and stop.  Create a file called vault.service in /etc/systemd/system/

sudo nano /etc/systemd/system/vault.service

Add the following to the file

[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/config.hcl

[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/config.hcl
ExecReload=/bin/kill --signal HUP 
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitBurst=3
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

Now we need to create a config file for vault.

sudo nano /etc/vault.d/config.hcl

Paste the following

ui = true
listener "tcp" {
   address          = "127.0.0.1:8200"
   tls_disable      = 1
}
listener "tcp" {
   address          = "X.X.X.X:8200"
   tls_disable      = 1
}
storage "file" {
   path  = "/opt/vault/data"
 }
api_addr         = "http://127.0.0.1:8200"
api_addr         = "http://X.X.X.X:8200"
max_lease_ttl         = "10h"
default_lease_ttl    = "10h"
cluster_name         = "vault"
raw_storage_endpoint     = true
disable_sealwrap     = true
disable_printable_check = true
Replace X.X.X.X in both locations with your servers IP address

Now we need to enable and start the vault service

sudo systemctl daemon-reload
sudo systemctl enable --now vault

Let’s make sure vault is started and running

sudo systemctl start vault
sudo systemctl status vault

You should see something like this:

● vault.service - "HashiCorp Vault - A tool for managing secrets"
   Loaded: loaded (/etc/systemd/system/vault.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2020-03-08 04:20:39 CDT; 7min ago
     Docs: https://www.vaultproject.io/docs/
 Main PID: 16191 (vault)
    Tasks: 13 (limit: 23596)
   Memory: 104.3M
   CGroup: /system.slice/vault.service
           └─16191 /usr/local/bin/vault server -config=/etc/vault.d/config.hcl

Let’s open the firewall so that we can access the UI webpage

sudo firewall-cmd --zone=public --permanent --add-port 8200/tcp
sudo firewall-cmd --zone=public --permanent --add-port 8201/tcp
sudo firewall-cmd –reload

You should be able to point your browser at the ip you set on port 8200 and get the UI.

http://X.X.X.X:8200

Let’s initialize the vault with 5 keys

The next page will list your keys and root token.  At the bottom download the keys.

***KEEP THIS FILE SAFE***

Hit continue to unseal.  Now we need to open that downloaded file and enter the 5 unseal keys one by one.  Enter each key one by one hitting unseal for each.  You will see a small counter saying x/5

Once unsealed it will ask you to login with your token.  This is the root token in the key file you were copying the unseal keys from.  Once you enter this you vault is ready to go.  Congratulations.

In the next post I’ll show you how to add secrets, make an ansible token and setup AWX to get its credentials from vault.

If you have questions or comments you can find my contact info here:

Contact
If you’d like to get in touch with me with questions or comments about anything I talk about feel free to reach out to me. You can email me or send me a DM on twitter. blog [@] glitchv0.com (remove [], trying to avoid spambots) Twitter: https://twitter.com/glitchv0