Vault

By mikado on

Install Vault on Windows

Install chocolatey

  • Run PS as asmin
Get-ExecutionPolicy
Set-ExecutionPolicy AllSigned
  • Go to chocolatey.org/iunstall and copy the code for PS:
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

Install vault

choco install vault

DEV Server

  • Unsecure
  • Localhost no TLS
  • Storage: inmem
  • Output shows unsealed key & Root token

Start vault server:

vault server -dev

After must do:

1. Launch a new terminal server

2. Copy and run (configure the Vault client to talk to the dev server):

export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_DEV_ROOT_TOKEN_ID='XXXXXXXXXXXXXXXXXX'

3. Save the unsealed key (my-unsealed-key.key)

4. Status

vault status

SECRETS

  • Are encrypted and written to backend storage
  • USE FILES

1. WRITE a secret

vault kv put secret/hello foo=world mika=do

2. GET a secret

vault kv get secret/hello
vault kv get -field=mika secret/hello
vault kv get -format=json secret/hello | jq -r .data.data.mika

3. DELETE a secret

vault kv delete secret/hello

KV SECRETS ENGINE

  • Vault enables  a secrets engine called kv at the path secret/
  • Secrets Engine kv aws database Description Key-Value store that stores one value for a key AWS IAM access keys On-demand, time-limited credentials
  • Enable another instance of the kv secrets engine:
vault secrets enable -path=kv kv
  • List secrets:
vault secrets list
  • Can disable:
vault secrets disable kv/

AWS SECRET ENGINE

  • Is not default, must be enabled before use
vault secrets enable -path=aws aws
  • Generates dynamic, on-demand AWS access credentials
  • Authenticate and communicate with AWS. Root credentials to be stored in AWS secret engine
vault write aws/config/root \
access_key=XXXXXXXXXXXXXXX \
secret_key=XXXXXXXXXXXXXXX \
region=us-east-1
  • Configure a Role
vault write aws/roles/my-role \
credentials_type=iam_user \
policy_document=-<<EOF
heredoc> {
…… AWS policy json ……
}
heredoc> EOF
  • Now we have a role, so generate a KP for that role by reading from aws/creds/<rolename>
vault read aws/creds/my-role
  • It outputs the lease_id (a path) –> is used for renewal, revocation and inspection
  • Vault revokes this credential after 768 hours
  • To revoke the secret
vault lease revoke <lease_id>
vault lease revoke aws/creds/my-roles/XXXXXXXXXXXXXXXXXXX

Category: Terraform