HashiCorp Vault on AWS

For the one project, we decided to use HashiCorp Vault instead of the composition of different approaches.

Before we used: Ansible Vault and custom AES-CBC-256 encryption.

The motivation for using HashiCorp Vault is quite well-known.

So what we need for our case?

AWS account with DynamoDB and EC2 (nano server)

  1. Create DynamoDB as High Available storage with the name for example vault-data
  2. Create policy vault_policy with the following rules https://www.vaultproject.io/docs/configuration/storage/dynamodb/
  3. Create an isolated user with the one newly created policy
  4. Install Linux on AWS EC2.
  5. Download and unzip vault binary file
  6. Use AWS Key credentials for config.hcl
disable_cache = true
disable_mlock = true
ui = true
listener "tcp" {
   address          = "0.0.0.0:8200"
   tls_disable      = 1
}
storage "dynamodb" {
  ha_enabled = "true"
  region     = "{{ AWS_REGION }}"
  table      = "{{ AWS_DYNAMODB_TABLE }}"
}
api_addr         = "http://0.0.0.0:8200"
max_lease_ttl         = "24h"
default_lease_ttl    = "24h"
cluster_name         = "vault"
raw_storage_endpoint     = true
disable_sealwrap     = true
disable_printable_check = true

Also we can put AWS key credentials to the start script: /etc/systemd/system/vault.service

[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/opt/vault/config.hcl

[Service]
User=vault
Group=vault
Environment="AWS_ACCESS_KEY_ID={{ AWS_ACCESS_KEY_ID }}"
Environment="AWS_SECRET_ACCESS_KEY={{ AWS_SECRET_ACCESS_KEY }}"
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/opt/vault/vault server -config=/opt/vault/config.hcl
ExecReload=/bin/kill --signal HUP
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitBurst=3

[Install]
WantedBy=multi-user.target

Start Vault daemon

systemctl start vault

Configure local client for http connection

export VAULT_ADDR=’http://127.0.0.1:8200'

Create unseal keys:

./vault operator init

Pay attention to the HTTPs connection, it is an important requirement for the secure connection between your client and Vault.

We used my domain’s wildcard SSL certificate. Also available free options: Cloudflare or LetsEncrypt.

Initial flow

export VAULT_ADDR=’http://127.0.0.1:8200′
./vault operator init

Unseal Key 1: x1
Unseal Key 2: x2
Unseal Key 3: x3
Unseal Key 4: x4
Unseal Key 5: x5

Initial Root Token: blablabla

./vault operator unseal
./vault login

./vault auth enable approle
./vault auth enable userpass
./vault secrets enable transit

./vault secrets enable -path=secret kv-v2

touch /var/log/vault_audit.log
chown vault:vault /var/log/vault_audit.log
./vault audit enable file file_path=/var/log/vault_audit.log

./vault policy write prod_kv prod.hcl
./vault token create -no-default-policy -policy=prod_kv

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Design a site like this with WordPress.com
Get started