Today I’m going to talk HashiCorp Vault. Vault is a secret manager that is very robust and works with many types of secrets from traditional username and password, api keys and even ssh keys. Once we have Vault setup, we will be connecting it to AWX for all our secrets, which I’ll cover in a future post. This one is just about setting up Vault.
I’ll be setting this up on a CentOS 8 box. I won’t cover setting up certs in this post, but I will in a future post as it takes a bit more work.
First, we need to download the zip and get it extracted. We are going to need 2 tools to do that, they may not be installed on your box so let’s install them. You should be doing this as a non-root user as well.
Next let’s download the vault zip.
Next let’s unzip the file and put it where it needs to be for execution.
unzip vault_1.3.2_linux_amd64.zip sudo mv vault /usr/local/bin/ restorecon -rv /usr/local/bin/vault
Now let’s make sure it works and enable the handy tab completion.
vault –version Vault v1.3.2 vault -autocomplete-install exec $SHELL
Hopefully you are still with me and got similar output. Next, we are going to create a vault account to run the service and the directories we need to store the configuration and the vault data
sudo useradd -r -d /etc/vault.d -m -s /bin/false vault sudo mkdir -p /opt/vault/data sudo chown -R vault:vault /opt/vault/
Now we need to setup the vault.service file so that we can use systemd to start and stop. Create a file called vault.service in /etc/systemd/system/
sudo nano /etc/systemd/system/vault.service
Add the following to the file
[Unit] Description="HashiCorp Vault - A tool for managing secrets" Documentation=https://www.vaultproject.io/docs/ Requires=network-online.target After=network-online.target ConditionFileNotEmpty=/etc/vault.d/config.hcl [Service] User=vault Group=vault ProtectSystem=full ProtectHome=read-only PrivateTmp=yes PrivateDevices=yes SecureBits=keep-caps AmbientCapabilities=CAP_IPC_LOCK NoNewPrivileges=yes ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/config.hcl ExecReload=/bin/kill --signal HUP KillMode=process KillSignal=SIGINT Restart=on-failure RestartSec=5 TimeoutStopSec=30 StartLimitBurst=3 LimitNOFILE=65536 [Install] WantedBy=multi-user.target
Now we need to create a config file for vault.
sudo nano /etc/vault.d/config.hcl
Paste the following
Now we need to enable and start the vault service
sudo systemctl daemon-reload sudo systemctl enable --now vault
Let’s make sure vault is started and running
sudo systemctl start vault sudo systemctl status vault
You should see something like this:
● vault.service - "HashiCorp Vault - A tool for managing secrets" Loaded: loaded (/etc/systemd/system/vault.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-03-08 04:20:39 CDT; 7min ago Docs: https://www.vaultproject.io/docs/ Main PID: 16191 (vault) Tasks: 13 (limit: 23596) Memory: 104.3M CGroup: /system.slice/vault.service └─16191 /usr/local/bin/vault server -config=/etc/vault.d/config.hcl
Let’s open the firewall so that we can access the UI webpage
sudo firewall-cmd --zone=public --permanent --add-port 8200/tcp sudo firewall-cmd --zone=public --permanent --add-port 8201/tcp sudo firewall-cmd –reload
You should be able to point your browser at the ip you set on port 8200 and get the UI.
Let’s initialize the vault with 5 keys
The next page will list your keys and root token. At the bottom download the keys.
***KEEP THIS FILE SAFE***
Hit continue to unseal. Now we need to open that downloaded file and enter the 5 unseal keys one by one. Enter each key one by one hitting unseal for each. You will see a small counter saying x/5
Once unsealed it will ask you to login with your token. This is the root token in the key file you were copying the unseal keys from. Once you enter this you vault is ready to go. Congratulations.
In the next post I’ll show you how to add secrets, make an ansible token and setup AWX to get its credentials from vault.
If you have questions or comments you can find my contact info here: