Hashicorp Vault deployment in Dev-mode (env) Overview & Hands-On.

An Overview of Hashicorp Vault.

Focus:

• Tailored for SRE, DevOps, Cloud, and DevSecOps Engineers

Breakdown:

• Intro,
• Functionality,
• Core Components,
• Link to official documentation,
• Key Features of HashiCorp Vault,
• Vault Authentication Methods,
• Vault Secret Engines,
• Deployment Options,
• Common Use Cases
• Project-Hands-On.

Intro:

• Hashicorp Vault is a tool for managing secrets and sensitive data.
• Hashicorp Vault provides a unified interface to store, manage,  tightly control access to things like API keys, passwords, certificates, and encryption keys.

• HashiCorp Vault is therefore a powerful tool for securely storing, managing, and accessing secrets like API keys, passwords, certificates, and encryption keys. 

• Hashicorp Vault provides centralized secret management with access control, auditing, and dynamic secrets capabilities.

 Functionality

Secrets Management:

•  Vault stores sensitive data in a secure, highly available, and environment-agnostic manner, encrypting data both at rest and in transit.

Dynamic Secrets:

•  It can generate on-demand credentials for various platforms, such as AWS, Google Cloud Platform, and databases, with a limited time-to-live (TTL) and automatic rotation.

Identity-Based Access:

•  Vault integrates with trusted identities (like Kubernetes service accounts, LDAP, or cloud provider identities) to automate access to secrets based on defined policies.

Data Encryption:

•  Applications can use Vault to encrypt data without having to handle the encryption keys themselves, a service offered via the Transit secret engine.

Auditing:

•  A detailed audit log tracks who accessed what and when, ensuring accountability and compliance.

Access Methods:

•  Users and applications can interact with Vault through a command-line interface (CLI), a web UI, or an HTTP API.

Core Components

Authentication Methods:

•  Determines how users or machines log in and prove their identity (e.g., username/password, tokens, Kubernetes auth).

Policies:

•  Define access control lists (ACLs) that dictate what a user or machine can access within Vault.

Secrets Engines: 

• These are components for managing, storing, or generating secrets.

Storage Backend:

•  Vault uses a storage backend (such as Consul, PostgreSQL, or Azure Storage) to store its encrypted data.

Link to official documentation:

https://developer.hashicorp.com/terraform/docs

Key Features of HashiCorp Vault

1. Secret Storage – Securely stores secrets using encryption.
2. Access Control – Uses policies to control who can access secrets.
3. Dynamic Secrets – Generates temporary credentials on demand (e.g., AWS, databases).
4. Data Encryption – Encrypts sensitive data without storing it.
5. Audit Logging – Tracks access and modifications for security and compliance.
6. Auto-Unseal – Uses cloud-based Key Management Systems (KMS) for unsealing.
7. Replication – Supports disaster recovery (DR) and performance replication.

Vault Authentication Methods

• Token-based Authentication (default)
• Cloud Auth (AWS, GCP, Azure, Kubernetes, etc.)
• Username & Password
• AppRole Authentication (recommended for automation)
• OIDC & LDAP (for integrating with corporate identity providers)

Vault Secret Engines

• Key/Value (KV) – Stores static secrets.
• AWS Secrets – Generates AWS IAM credentials dynamically.
• Database Secrets – Creates short-lived DB credentials.
• PKI – Issues and manages SSL/TLS certificates.
• Transit – Encrypts and decrypts data at rest.
• SSH – Manages SSH credentials dynamically.

Deployment Options

• Self-Hosted (on-prem or cloud)
• Managed Services (HashiCorp Cloud Platform - HCP)
• Integrated Storage (Raft) – Built-in storage backend.

Common Use Cases

• Secure CI/CD Pipelines – Inject secrets into DevOps workflows.
• Multi-Cloud Security – Manage secrets across AWS, Azure, GCP.
• Zero Trust Security – Enforce least privilege with dynamic secrets.
• Data Protection – Encrypt sensitive application data.

Project-Hands-On: 

How twtech setup HashiCorp Vault in Dev-mode, and integrate vault into cloud/DevOps workflow.

Scope:

Step-by-step guide 

 Step-1:

• Install HashiCorp Vault
• HashiCorp Vault can be installed on Linux, macOS, and Windows systems. 
• twtech uses a scripts to boostrap Hashicorp Vault on Linux-ubuntu

#!/bin/bash
# Switch to root user
sudo -i
# set hostname to Hashicorp-vault
sudo hostnamectl set-hostname Hashicorp-vault
# Step 1 - Add PGP for the package signing key. 
sudo apt update -y 
sudo apt install gpg
# Step 2 - Add the HashiCorp GPG key.
wget O https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg 
# Step 3 - Verify the key's fingerprint. 
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint 
# Step 4 - Add the official HashiCorp Linux repository. 
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] \

https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list

# Step 5 -  install vault. 
sudo snap install vault --classic
# verify vault
# vault --version

 Step-2:
twech Starts  Hashicorp Vault in the dev mode: with the following command.
vault server -dev
 Step-3:
Login to same server:  from another terminal  (do not close the started server...it is running)

 Step-4:
twtech Sets Environmental Variables for Vault
export VAULT_ADDR='http://127.0.0.1:8200' export  VAULT_TOKEN='hvs.xyxyxyxyxyxyxyx'
 Step-5:
twtech Verifies the status of  the Vault.
vault status

 Step-6:

• twtech Enables (creates) and Configure Secrets Engines.
• Vault uses Secrets Engines to store secrets. The most common is Key/Value (KV).
•  twtech Enables (creates) KV Secrets Engine (path to the secret)

vault secrets enable -path=twtech kv

 Step-7: 

•  twtech Writes (Stores)  Secrets

vault kv put twtech/path username=admin password=twtechSuperSecret@123

 Step-8:

•  twtech Reads (Retrieves)  Secrets

vault kv get twtech/path

Step-9:
twtech Reads Secrets in JSON Format
vault kv get -format=json twtech/path

Step-10:

•  twtech Lists All Secrets in Vault

vault secrets list 

Double-click on the image to zoom-out ...Larger.
To return to Home page: Refresh Page or Take ESC  Button on Keyboard.

Step-11: 

• twtech Deletes unwanted Secrets in Vault
• Soft Delete a Secret (KV )...Secret can still be recovered.

vault kv delete twtech/path

Step-12:

•  twtech Permanently Delete a Secret Version

vault kv destroy -versions=1 twtech/path

Step-13:

 twtech Permanently Delete All Versions of a Secret

 vault kv metadata delete twtech/path

Step-14:

 twtech Verifies that a Secret version is  Deleted

After deletion, check if the secret exists:
vault kv get  twtech/path
If it returns an error, the secret is gone.

OR:
vault kv get -format=json twtech/path

Step-15:

 twtech enables AWS and other Cloud Secrets Engines:
NB:
Hashicorp vault is a great integration Solution to AWS Cloud and other Cloud providers.
Hashicorp Vault is Cloud-agnostic (integrates with many Cloud Providers to manage Secrets).
It has the ability to get secrets from these providers and manage them, just like any other \
Custom-made key value(kv…twtech/path)and Custom-made secrets
(username=admin password=twtechSuperSecret@123)created within the hashicorp vault
How the Secret Engine Architecture is structured:
Vault Engine Components:
AWS, Other Cloud Providers,
KV(secrets)
Databases,
Policies,
Authentication method,
Clients (Human fetch & Match fetch)
Token: ' xyxyxyxyxyxyxxxx'

Step-16:

twtech Enables (creates) aws secret engine path:
vault secrets enable -path=aws aws

Step-17:

 twtech Verifies that the path to aws secrets engine is enabled (created)
vault secrets list

Step-18:

Enable (create) azure secret engine path:
vault secrets enable -path=azure azure

Step-19:

erify that the path to azure secrets engine is created:
vault secrets list

Step-20:

 twtech Disables unwanted Secrets Engine:
vault secrets disable  aws
vault secrets disable  twtech 
vault secrets disable  azure

Step-21:

twtech verifies that the path to azure Unwanted secrets engine is successfully disabled.
vault secrets list

Step-22:

•  twtech lists the default secrets engines in HashiCorp Vault.

vault secrets list

twtech-Explanation:

• This command lists all the enabled secrets engines in Vault, including the default ones.
• By default, Vault comes with built-in secrets engines such as:
• secret/ (KV secrets engine - v1 or v2)
• cubbyhole/
• identity/
• sys/
• auth/

Step-23:

• twtech gets detailed output & metadata of a secrets

vault secrets list -detailed

Step-24:

• twtech integrates the aws credentials (aws-access token) to the path of aws vault Engine (account-authentication).

vault write aws/config/root access_key=<twtech access key> secret_key=<twtech secret access key> region=us-east-2

OR:

vault write aws/config/root \

access_key=xxxxxxxxxxxxxxx \

secret_key=yyyyyyyyyyyyyyyyyyyyyyyyy \

region=us-east-2

Step-25:

• twtech Sets roles and use them to generate dynamic secrets.

# twtech-ec2-role.sh

vault write aws/roles/twtech-ec2-role credential_type=iam_user policy_document=-<<EOF 

{ 

  "Version": "2012-10-17",  

  "Statement": [ 

{ 

        "Sid": "Stmt1426528957000", 

        "Effect": "Allow",

        "Action": [ 

        "ec2:*"

    ], 

   "Resource": [

       "*"

     ] 

   }

  ]

}

EOF

Step-26:

•  twtech reads  Dynamic Secrets generated from roles.

vault read aws/creds/twtech-ec2-role

Step-27:

• twtech may Revoke (destroy) any secrets no longer needed.

vault lease revoke <lease_id>

vault lease revoke aws/creds/twtech-ec2-role/asqCxdNh0NEsjfMiCAnRM0i

Token Authentication:

Policy format,

Write policy,

Test policy,

Auth Method and Policy.

twtech-insights:   HashiCorp vault policy ( Read , Write , Update … defines access or permissions levels)

Step-28:

• twtech create Policies : 
• Specifying the name, path & permissions of the policies:

#twtech-policy.hcl

vault policy write twtech-policy - << EOF

path "secret/data/*" {

path "sys/*" {

capabilities = ["create", "read", "update", "delete", "list"]
}

    capabilities = ["create", "read", "update", "delete", "list"]

}

path "secret/data/devsecops-patpat" {

   capabilities = ["create", "read", "update", "delete", "list"]

 }

path "secret/data/engineer-foncha" {

   capabilities = ["read"]

 }

path "secret/data/engineer-abunga" {

   capabilities = ["read"]

 }

EOF

Step-29:

• twtech Lists exiting polices in Vault:  already created.

vault policy list

NB

• twtech sometimes Create policies by running  (scripts script format must end with format .hcl)
• twtech runs command directly on the terminal.

Step-30:

• twtech Verifies that policy is created: twtech-policy

vault policy list

Step-31:

• twtech reads the content of a policies: Read Vault policy details. 

 vault policy read twtech-policy

Step-32:

• twtech Reads the content of the default policy.

vault policy read default

Step-33:

• twtech deletes any unwanted policies in Vault.

vault policy delete <policyName>

vault policy delete twtech-policy

•  What is Policy format ( .hcl)
•  How twtech apply policy (respect PoLP)

Step-34:

• twtech associates user-root-token to policy: Role-binding.

user-root-Token + policy: Root Token: hvs.HXPMtOLVYwwlJERaHIViNxxx (gives access to the Hashicorp vault) attach token to the policy:

Step-35:

•  twtech  creates and attach token to policies.

 export VAULT_TOKEN="$(vault token create -field token -policy=twtech-policy)"

Step-36:

• twtech writes secrets and mount them to policies.

vault kv put -mount=secret twtech-ssh-creds password="devseczzzpspat" 

From:

To:

Step-37:

• twech verifies that users (twtech-pat & others ) are able to use their assigned roles (capabilities by writing a secret). 

vault kv put -mount=secret twtech-pat  github-pat="sidooapeiopd525466664"

Step-38:

•  twtech Troubleshoots  policies that prevents the Creation (writing) of  secrets:
• ( Because the right permissions were not assigned) 
• The path to the secrete was limited to... Read-only access

vault kv put -mount=secret engineer-foncha twtech-pat="sidooapeiopd525466664"

Step-39:

• twtech uses Auth methods and policies for external authenticafication:
• Like gitHub, docker hub, and many more.
• First,  List  existing Auth methods:

vault auth list

• permission denied:

Step-40:

• twtech troubleshoots permission denial.
• when trying to list vault auth methods.

Steps

A. Verify Vault Status

• Check if the Vault server is running and unsealed:

vault status

• If it’s sealed, unseal it using the appropriate unseal keys.

B. Verify that twtech-users Are Authenticated

vault token lookup

•  For twtech-user to troubleshoot, the must be authenticated. 
• They need to log in appropriately as shown below. 
• (safely without displaying the root-token) 

Token when pasted is not visible. 

vault login

Token (will be hidden): hvs.IqonxNiCM92qtbabPK6eIxxx 

C. Use Root Token (if necessary) If twtech has the initial root token, try it.

export VAULT_TOKEN=<your-root-token> vault auth list 

• If it works with the root token, it confirms  that there is a permission issue with the current token.

C. list vault policies: 

vault policy list

Step-41:

• twtech Lists all auth methods in vault

vault auth list

NB:

• With all the above troubleshooting steps, twtech Successfully list the auth methods again in the Hashicorp vault:

Step-42:

•  twtech enables (creates) approle & other auth methods.

vault auth  enable approle 

Step-43:

• twtech Verifies auth methods created.

vault auth list

Step-44:

• twtech lists existing policies:

vault policy list

Step-45:

•  twtech associates the auth methods (approle) with  policies (twtech-policy)

vault write auth/approle/role/twtech-role secret_id_ttl=10m token_num_uses=10 token_ttl=20m token_max_ttl=30m  secret_id_num_uses=40 token_policies=twtech-policy

# OR

vault write auth/approle/role/twtech-role \

secret_id_ttl=10m \

token_num_uses=10 \

token_ttl=20m \

token_max_ttl=30m \

secret_id_num_uses=40 \

token_policies=twtech-policy

Step-46:

•  twtech Generates and Export Role ID
• For external authentication, the username and password is always needed for authentication.

export ROLE_ID="$(vault read -field=role_id auth/approle/role/twtech-role/role-id)"

Step-47:

• twtech Generate and Export Secret ID

export SECRET_ID="$(vault write -f -field=secret_id auth/approle/role/twtech-role/secret-id)"

Step-48:

• twtech writes configuration using role id & Secret id:

vault write auth/approle/login role_id="$ROLE_ID " secret_id="$SECRET_ID "

Step-49:

•  twtech authenticates twtech-users into the Hashicorp Environment:
• UserNames and Passwords are replaced with individual Pat-token(personal access token) to grant them safe access into the Hashicorp vault:
• concept of root token .
• The root token is a string of characters needed for login into the Hashicorp Vault.
• twtech gets the initial root-token.
• when the vault is started it the development mode (environment), a root token is generated. 

twtech Recommendation:

• Always copy the root-token and save it on the note-path , because it would be use severally for authentication purposes

Step-50:

• twtech performs vault login using the root token:

vault login

• Token (will be hidden):

Step-51:

• twtech generates a new token if the initial root-token is lost.

vault token create

Step-52:

• twtech verifies that the generated token is valid for login. 

vault login

• Token (will be hidden):

Step-53:

• twtech revokes (destroy or delete ) unwanted root tokens.
• List all vault tokens:

vault list auth/token/accessors

• Revoke (destroy or delete ) unwanted root tokens & try to login with the token revoked. 
• it should give an error missage while trying to login, because token has been destroyed.

vault token revoke <Token>

Step-54:

• twtech authenticates GitHub in hashicorp Vault,
• Prerequisite: ( GUI) or User Interface(UI),
• Generate github-pat (personal access token)
• Create an organization in GitHub
• Create teams in that organization in GitHub

UI:

• Create a team with the organization: (Think-with-Tech)

Step-55:

• twtech creates same organizations and same teams in Hashicorp vault .
• Using the command line interface (CLI)
• first, Verify that the authentication auth methods for gitHub is enabled(created):

vault auth list

Step-56:

• twtech enables (create)  github auth method:

vault auth enable github

Step-57:

• twtech Verifies that github auth method is enabled (created) 

vault auth list

Step-58:

• twtech creates GitHub Organizations with CLI in vault.

vault write auth/github/config organization=Think-with-Tech

Step-59:

•  twtech create GitHub Teams with CLI in vault.

vault write auth/github/map/teams/twtech-dev-team  values=default,application

Step-60:

•  twtech login to vault using the github authentication method. GitHub-PAT is needed.

vault login -method=github

• GitHub Personal Access Token (will be hidden)

Step-61:

• twtech revokes (delete) authentication from vault.

vault token revoke -mode path auth/github 

Step-62:

• twtech disables authentication in vault auth.

vault auth disable github

Step-63:

• twtech verifies that authentication has been revoked:

vault auth list

• Hashicorp Vault UI: