Hashicorp Vault and Secrets Management. Step-by-step deployment of HashiCorp Vault: dev-mode (env).

Double-click on the image to zoom-out ...Larger.

To return to Home page: Refresh Page or Take ESC Button on Keyboard.

Double-click on the image to zoom-out ...Larger.

To return to Home page: Refresh Page or Take ESC Button on Keyboard.

HashiCorp Vault is a powerful tool for securely storing, managing, and accessing secrets like API keys, passwords, certificates, and encryption keys. 

It provides centralized secret management with access control, auditing, and dynamic secrets capabilities.

Key Features of HashiCorp Vault

1. Secret Storage – Securely stores secrets using encryption.
2. Access Control – Uses policies to control who can access secrets.
3. Dynamic Secrets – Generates temporary credentials on demand (e.g., AWS, databases).
4. Data Encryption – Encrypts sensitive data without storing it.
5. Audit Logging – Tracks access and modifications for security and compliance.
6. Auto-Unseal – Uses cloud-based Key Management Systems (KMS) for unsealing.
7. Replication – Supports disaster recovery (DR) and performance replication.

Vault Authentication Methods

• Token-based Authentication (default)
• Cloud Auth (AWS, GCP, Azure, Kubernetes, etc.)
• Username & Password
• AppRole Authentication (recommended for automation)
• OIDC & LDAP (for integrating with corporate identity providers)

Vault Secret Engines

• Key/Value (KV) – Stores static secrets.
• AWS Secrets – Generates AWS IAM credentials dynamically.
• Database Secrets – Creates short-lived DB credentials.
• PKI – Issues and manages SSL/TLS certificates.
• Transit – Encrypts and decrypts data at rest.
• SSH – Manages SSH credentials dynamically.

Deployment Options

• Self-Hosted (on-prem or cloud)
• Managed Services (HashiCorp Cloud Platform - HCP)
• Integrated Storage (Raft) – Built-in storage backend.

Common Use Cases

• Secure CI/CD Pipelines – Inject secrets into DevOps workflows.
• Multi-Cloud Security – Manage secrets across AWS, Azure, GCP.
• Zero Trust Security – Enforce least privilege with dynamic secrets.
• Data Protection – Encrypt sensitive application data.

Scope:

Project ONE:  (Demo)

twtech full Guide on setting up HashiCorp Vault, and integrating vault into cloud/DevOps workflow.

Here’s a step-by-step guide on setting up HashiCorp Vault and integrating it into Cloud/DevOps workflow.

 Install HashiCorp Vault

HashiCorp Vault can be installed on Linux, macOS, and Windows systems. 

How twtech uses scripts to boostrap Hashicorp Vault on Linux-ubuntu

#!/bin/bash
# Switch to root user
sudo -i
# set hostname to Hashicorp-vault
sudo hostnamectl set-hostname Hashicorp-vault
# Step 1 - Add PGP for the package signing key. 
sudo apt update -y 
sudo apt install gpg
# Step 2 - Add the HashiCorp GPG key.
wget O https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg 
# Step 3 - Verify the key's fingerprint. 
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint 
# Step 4 - Add the official HashiCorp Linux repository. 
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
# Step 5 -  install vault. 
sudo snap install vault --classic
# verify vault
# vault --version

How twech Starts  Hashicorp Vault in the dev mode:
vault server -dev
Login to same server:  from another terminal  (do not close the started server...it is running)

How twtech Sets Environmental Variables for Vault
export VAULT_ADDR='http://127.0.0.1:8200' export  VAULT_TOKEN='hvs.xyxyxyxyxyxyxyx'
How twtech Verify the status of  the Vault.
vault status
Double-click on the image to zoom-out ...Larger.
To return to Home page: Refresh Page or Take ESC  Button on Keyboard.

1.  How twtech Enables (creates) and Configure Secrets Engines

Vault uses Secrets Engines to store secrets. The most common is Key/Value (KV).

 twtech Enables (creates) KV Secrets Engine (path to the secret)

vault secrets enable -path=twtech kv

2. How twtech Writes (Stores)  Secrets

vault kv put twtech/path username=admin password=twtechSuperSecret@123

3. How twtech Reads (Retrieves)  Secrets

vault kv get twtech/path

 How twtech Reads Secrets in JSON Format
vault kv get -format=json twtech/path

 4. How twtech Lists All Secrets in Vault

vault secrets list 

Double-click on the image to zoom-out ...Larger.
To return to Home page: Refresh Page or Take ESC  Button on Keyboard.

5. How twtech Deletes Secrets in Vault

Soft Delete a Secret (KV )

vault kv delete twtech/path
(Secret can still be recovered)

 How twtech Permanently Delete a Secret Version

vault kv destroy -versions=1 twtech/path

How twtech Permanently Delete All Versions of a Secret

 vault kv metadata delete twtech/path

 How twtech Verifies that a Secret version is  Deleted

After deletion, check if the secret exists:
vault kv get  twtech/path
If it returns an error, the secret is gone.

OR:
vault kv get -format=json twtech/path
6. How twtech enables AWS and other Cloud Secrets Engines:
Hashicorp vault is a great integration Solution to AWS Cloud and other Cloud providers.
Hashicorp Vault is Cloud-agnostic (integrates with many Cloud Providers to manage Secrets).
It has the ability to get secrets from these providers and manage them, just like 
any other Custom-made key value(kv…twtech/path)and Custom-made secrets
(username=admin password=twtechSuperSecret@123)created within the hashicorp vault
How the Secret Engine Architecture is structured:
Double-click on the image to zoom-out ...Larger.
To return to Home page: Refresh Page or Take ESC  Button on Keyboard.
Vault Engine Components:
AWS, Other Cloud Providers,
KV(secrets)
Databases,
Policies,
Authentication method,
Clients (Human fetch & Match fetch)
Token: ' xyxyxyxyxyxyxxxx'

7. How twtech Enables (creates) aws secret engine path:
vault secrets enable -path=aws aws
Double-click on the image to zoom-out ...Larger.
To return to Home page: Refresh Page or Take ESC Button on Keyboard.
8. How twtech Verifies that the path to aws secrets engine is enabled (created)
vault secrets list
Enable (create) azure secret engine path:
vault secrets enable -path=azure azure
Verify that the path to azure secrets engine is created:
vault secrets list
9. How twtech Disable a Secrets Engine:
vault secrets disable  aws
vault secrets disable  twtech 
vault secrets disable  azure
How twtech verifies that the path to azure secrets engine is disabled.
vault secrets list

How twtech lists the default secrets engines in HashiCorp Vault.

vault secrets list

Explanation:

• This command lists all the enabled secrets engines in Vault, including the default ones.
• By default, Vault comes with built-in secrets engines such as:
• secret/ (KV secrets engine - v1 or v2)
• cubbyhole/
• identity/
• sys/
• auth/

10. How twtech gets detailed output & metadata of a secrets

vault secrets list -detailed

11. How twtech integrates the aws credentials (aws-access token) to the path of aws vault Engine (account-authentication).

vault write aws/config/root access_key=<twtech access key> secret_key=<twtech secret access key> region=us-east-2

OR:

vault write aws/config/root \

access_key=xxxxxxxxxxxxxxx \

secret_key=yyyyyyyyyyyyyyyyyyyyyyyyy \

region=us-east-2

12. How twtech Sets roles and use them to generate dynamic secrets.

# twtech-ec2-role.sh

vault write aws/roles/twtech-ec2-role credential_type=iam_user policy_document=-<<EOF 

{ 

  "Version": "2012-10-17",  

  "Statement": [ 

{ 

        "Sid": "Stmt1426528957000", 

        "Effect": "Allow",

        "Action": [ 

        "ec2:*"

    ], 

   "Resource": [

       "*"

     ] 

   }

  ]

}

EOF

13. How twtech reads  Dynamic Secrets generated from roles.

vault read aws/creds/twtech-ec2-role

14. How twtech may Revoke (destroy) any secrets no longer needed.

vault lease revoke <lease_id>

vault lease revoke aws/creds/twtech-ec2-role/asqCxdNh0NEsjfMiCAnRM0i

Double-click on the image to zoom-out ...Larger.
To return to Home page: Refresh Page or Take ESC  Button on Keyboard.

Token Authentication:

Policy format,

Write policy,

Test policy,

Auth Method and Policy.

twtech-insights:   HashiCorp vault policy ( Read , Write , Update … defines access or permissions levels)

15. How twtech create Policies : 

Specify the name, path & permissions of the policies:

#twtech-policy.hcl

vault policy write twtech-policy - << EOF

path "secret/data/*" {

path "sys/*" {

capabilities = ["create", "read", "update", "delete", "list"]
}

    capabilities = ["create", "read", "update", "delete", "list"]

}

path "secret/data/devsecops-patpat" {

   capabilities = ["create", "read", "update", "delete", "list"]

 }

path "secret/data/engineer-foncha" {

   capabilities = ["read"]

 }

path "secret/data/engineer-abunga" {

   capabilities = ["read"]

 }

EOF

16. How twtech Lists exiting polices in Vault:  already created.

vault policy list

twtech sometimes Create policies by running  scripts... If script format must end with .hcl

How twtech runs command directly on the terminal.

How twtech Verifies that policy is created: twtech-policy

vault policy list

17. How twtech reads the content of a policies: Read Vault policy details. 

 vault policy read twtech-policy

How twtech Reads the content of the default policy.

vault policy read default

18. How twtech deletes any unwanted policies in Vault.

vault policy delete <policyName>

vault policy delete twtech-policy

3. What is Policy format ( .hcl)

4. How twtech apply policy (PoLP)

19. How twtech associates user-root-token to policy: Role-binding.

user-root-Token + policy: Root Token: hvs.HXPMtOLVYwwlJERaHIViNxxx (gives access to the Hashicorp vault) attach token to the policy:

20. How twtech  creates and attach token to policies.

 export VAULT_TOKEN="$(vault token create -field token -policy=twtech-policy)"

21. How twtech writes secrets and mount them to policies.

vault kv put -mount=secret twtech-ssh-creds password="devseczzzpspat" 

From:

To:

22. How twech verify that users (twtech-pat & others ) are able to use their assigned roles...capabilities by writing a secret. 

vault kv put -mount=secret twtech-pat  github-pat="sidooapeiopd525466664"

23. How twtech Troubleshoots  policies that prevents the Creation (writing) of  secrets:

( Because the right permissions were not assigned) 

The path to the secrete was limited to... Read-only access

vault kv put -mount=secret engineer-foncha twtech-pat="sidooapeiopd525466664"

24. How twtech uses Auth methods and policies for external authenticafication:

Like gitHub, docker hub, and many more.

First,  List  existing Auth methods:

vault auth list

permission denied:

25. How twtech troubleshoots permission denial.

when trying to list vault auth methods.

Steps

A. Verify Vault Status

Check if the Vault server is running and unsealed:

vault status

If it’s sealed, unseal it using the appropriate unseal keys.

B. Verify that twtech-users Are Authenticated

vault token lookup

The twtech-user troubleshooting must be authenticated. They need to log in appropriately as shown below. 

(safely without displaying the root-token) 

Token when pasted is not visible. 

vault login

Token (will be hidden): hvs.IqonxNiCM92qtbabPK6eIxxx 

C. Use Root Token (if necessary) If you have the initial root token, try it.

export VAULT_TOKEN=<your-root-token> vault auth list 

If it works with the root token, it confirms  that there is a permission issue with the current token.

C. list vault policies:

vault policy list

26. How twtech Lists all auth methods in vault

vault auth list

With all the above steps, twtech Successfully list the auth methods in the Hashicorp vault:

27. How twtech enables (creates) approle & other auth methods.

vault auth  enable approle 

28. How twtech Verifies auth methods created.

vault auth list

Double-click on the image to zoom-out ...Larger.

To return to Home page: Refresh Page or Take ESC Button on Keyboard.

How  twtech lists existing policies:

vault policy list

29. How twtech associates the auth methods (approle) with  policies (twtech-policy)

vault write auth/approle/role/twtech-role secret_id_ttl=10m token_num_uses=10 token_ttl=20m token_max_ttl=30m  secret_id_num_uses=40 token_policies=twtech-policy

# OR

vault write auth/approle/role/twtech-role \

secret_id_ttl=10m \

token_num_uses=10 \

token_ttl=20m \

token_max_ttl=30m \

secret_id_num_uses=40 \

token_policies=twtech-policy

30. How twtech Generates and Export Role ID

For external authentication, the username and password is always needed for authentication.

export ROLE_ID="$(vault read -field=role_id auth/approle/role/twtech-role/role-id)"

31. How twtech Generate and Export Secret ID

export SECRET_ID="$(vault write -f -field=secret_id auth/approle/role/twtech-role/secret-id)"

Double-click on the image to zoom-out ...Larger.

To return to Home page: Refresh Page or Take ESC Button on Keyboard.

32. How twtech writes configuration using role id & Secret id:

vault write auth/approle/login role_id="$ROLE_ID " secret_id="$SECRET_ID "

33. How twtech authenticates twtech-users into the Hashicorp Environment:

UserNames and Passwords are replaced with individual Pat-token(personal access token) to grant them safe access into the Hashicorp vault:

twtech concept of root token.

The root token is a string of characters needed for login into the Hashicorp Vault.

 34. How twtech gets the initial root-token.

when the vault is started it the development mode (environment), a root token is generated. 

twtech Recommendation:

Always copy the root-token and save it on the note-path , because it would be use severally for authentication purposes

35. How twtech perform vault login using the root token:

vault login

Token (will be hidden):

36. How twtech generates a new token if the initial root-token is lost.

vault token create

37. How twtech verifies that the generated token is valid for login. 

vault login

Token (will be hidden):

38. How twtech revokes (destroy or delete ) unwanted root tokens.

List all vault tokens:

vault list auth/token/accessors

Revoke (destroy or delete ) unwanted root tokens & try to login with the token revoked. 

it should give an error missage while trying to login, because token has been destroyed.

vault token revoke <Token>

Double-click on the image to zoom-out ...Larger.

To return to Home page: Refresh Page or Take ESC Button on Keyboard.

39. How twtech authenticates GitHub in hashicorp Vault:

Prerequisite: ( GUI) or User Interface(UI):

Generate github-pat (personal access token)

Create an organization in GitHub

Create teams in that organization in GitHub

UI:

Create a team with the organization: (Think-with-Tech)

40. How twtech creates same organizations and same teams in Hashicorp vault .

Using the command line interface (CLI)

first, Verify that the authentication auth methods for gitHub is enabled(created):

vault auth list

41. How twtech enables (create)  github auth method:

vault auth enable github

42. How twtech Verifies that github auth method is enabled (created) 

vault auth list

43. How twtech creates GitHub Organizations with CLI in vault.

vault write auth/github/config organization=Think-with-Tech

44. How twtech create GitHub Teams with CLI in vault.

vault write auth/github/map/teams/twtech-dev-team  values=default,application

45. How twtech login to vault using the github authentication method. GitHub-PAT is needed.

vault login -method=github

GitHub Personal Access Token (will be hidden)

46. How twtech revokes (delete) authentication from vault.

vault token revoke -mode path auth/github 

47. How twtech disables authentication in vault auth.

vault auth disable github

48. How twtech verifies that authentication has been revoked:

vault auth list