Monday, March 31, 2025

Hashicorp Vault deployment in Dev-mode (env) Overview & Hands-On.


An Overview of Hashicorp Vault.

Focus:

  • Tailored for SRE, DevOps, Cloud, and DevSecOps Engineers

Breakdown:

  • Intro,
  • Functionality,
  • Core Components,
  • Link to official documentation,
  • Key Features of HashiCorp Vault,
  • Vault Authentication Methods,
  • Vault Secret Engines,
  • Deployment Options,
  • Common Use Cases
  • Project-Hands-On.
Intro:
  • Hashicorp Vault is a tool for managing secrets and sensitive data.
  • Hashicorp Vault provides a unified interface to store, manage,  tightly control access to things like API keys, passwords, certificates, and encryption keys.

  • HashiCorp Vault is therefore a powerful tool for securely storing, managing, and accessing secrets like API keys, passwords, certificates, and encryption keys. 

  • Hashicorp Vault provides centralized secret management with access control, auditing, and dynamic secrets capabilities.

 Functionality
Secrets Management:
  •  Vault stores sensitive data in a secure, highly available, and environment-agnostic manner, encrypting data both at rest and in transit.
Dynamic Secrets:
  •  It can generate on-demand credentials for various platforms, such as AWS, Google Cloud Platform, and databases, with a limited time-to-live (TTL) and automatic rotation.
Identity-Based Access:
  •  Vault integrates with trusted identities (like Kubernetes service accounts, LDAP, or cloud provider identities) to automate access to secrets based on defined policies.
Data Encryption:
  •  Applications can use Vault to encrypt data without having to handle the encryption keys themselves, a service offered via the Transit secret engine.
Auditing:
  •  A detailed audit log tracks who accessed what and when, ensuring accountability and compliance.
Access Methods:
  •  Users and applications can interact with Vault through a command-line interface (CLI), a web UI, or an HTTP API.
Core Components
Authentication Methods:
  •  Determines how users or machines log in and prove their identity (e.g., username/password, tokens, Kubernetes auth).
Policies:
  •  Define access control lists (ACLs) that dictate what a user or machine can access within Vault.
Secrets Engines: 
  • These are components for managing, storing, or generating secrets.
Storage Backend:
  •  Vault uses a storage backend (such as Consul, PostgreSQL, or Azure Storage) to store its encrypted data.
Link to official documentation:

https://developer.hashicorp.com/terraform/docs




Key Features of HashiCorp Vault

  1. Secret Storage – Securely stores secrets using encryption.
  2. Access Control – Uses policies to control who can access secrets.
  3. Dynamic Secrets – Generates temporary credentials on demand (e.g., AWS, databases).
  4. Data Encryption – Encrypts sensitive data without storing it.
  5. Audit Logging – Tracks access and modifications for security and compliance.
  6. Auto-Unseal – Uses cloud-based Key Management Systems (KMS) for unsealing.
  7. Replication – Supports disaster recovery (DR) and performance replication.

Vault Authentication Methods

  • Token-based Authentication (default)
  • Cloud Auth (AWS, GCP, Azure, Kubernetes, etc.)
  • Username & Password
  • AppRole Authentication (recommended for automation)
  • OIDC & LDAP (for integrating with corporate identity providers)

Vault Secret Engines

  • Key/Value (KV) – Stores static secrets.
  • AWS Secrets – Generates AWS IAM credentials dynamically.
  • Database Secrets – Creates short-lived DB credentials.
  • PKI – Issues and manages SSL/TLS certificates.
  • Transit – Encrypts and decrypts data at rest.
  • SSH – Manages SSH credentials dynamically.

Deployment Options

  • Self-Hosted (on-prem or cloud)
  • Managed Services (HashiCorp Cloud Platform - HCP)
  • Integrated Storage (Raft) – Built-in storage backend.

Common Use Cases

  • Secure CI/CD Pipelines – Inject secrets into DevOps workflows.
  • Multi-Cloud Security – Manage secrets across AWS, Azure, GCP.
  • Zero Trust Security – Enforce least privilege with dynamic secrets.
  • Data Protection – Encrypt sensitive application data.

Project-Hands-On: 

How twtech setup HashiCorp Vault in Dev-mode, and integrate vault into cloud/DevOps workflow.

Scope:

Step-by-step guide 

 Step-1:

  • Install HashiCorp Vault
  • HashiCorp Vault can be installed on Linux, macOS, and Windows systems
  • twtech uses a scripts to boostrap Hashicorp Vault on Linux-ubuntu

#!/bin/bash
# Switch to root user
sudo -i
# set hostname to Hashicorp-vault
sudo hostnamectl set-hostname Hashicorp-vault
# Step 1 - Add PGP for the package signing key. 
sudo apt update -y 
sudo apt install gpg
# Step 2 - Add the HashiCorp GPG key.
wget O https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg 
# Step 3 - Verify the key's fingerprint. 
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint 
# Step 4 - Add the official HashiCorp Linux repository. 
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] \
https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
# Step 5 -  install vault. 
sudo snap install vault --classic
# verify vault
# vault --version
 Step-2:
  • twech Starts  Hashicorp Vault in the dev mode: with the following command.
vault server -dev
 Step-3:
  • Login to same server:  from another terminal  (do not close the started server...it is running)

 Step-4:
  • twtech Sets Environmental Variables for Vault
export VAULT_ADDR='http://127.0.0.1:8200' export  VAULT_TOKEN='hvs.xyxyxyxyxyxyxyx'
 Step-5:
  • twtech Verifies the status of  the Vault.
vault status

 Step-6:

  • twtech Enables (creates) and Configure Secrets Engines.
  • Vault uses Secrets Engines to store secrets. The most common is Key/Value (KV).
  •  twtech Enables (creates) KV Secrets Engine (path to the secret)

vault secrets enable -path=twtech kv

 Step-7: 

  •  twtech Writes (Stores)  Secrets

vault kv put twtech/path username=admin password=twtechSuperSecret@123

 Step-8:

  •  twtech Reads (Retrieves)  Secrets

vault kv get twtech/path
Step-9:
  • twtech Reads Secrets in JSON Format
vault kv get -format=json twtech/path

Step-10:

  •  twtech Lists All Secrets in Vault

vault secrets list 
Double-click on the image to zoom-out ...Larger.
To return to Home page: Refresh Page or Take ESC  Button on Keyboard.

Step-11: 

  • twtech Deletes unwanted Secrets in Vault
  • Soft Delete a Secret (KV )...Secret can still be recovered.

vault kv delete twtech/path

Step-12:

  •  twtech Permanently Delete a Secret Version

vault kv destroy -versions=1 twtech/path

Step-13:

 twtech Permanently Delete All Versions of a Secret

 vault kv metadata delete twtech/path

Step-14:

 twtech Verifies that a Secret version is  Deleted

After deletion, check if the secret exists:
vault kv get  twtech/path
If it returns an error, the secret is gone.

OR:
vault kv get -format=json twtech/path

Step-15:

  •  twtech enables AWS and other Cloud Secrets Engines:
NB:
  • Hashicorp vault is a great integration Solution to AWS Cloud and other Cloud providers.
  • Hashicorp Vault is Cloud-agnostic (integrates with many Cloud Providers to manage Secrets).
  • It has the ability to get secrets from these providers and manage them, just like any other \
  • Custom-made key value(kv…twtech/path)and Custom-made secrets
(username=admin password=twtechSuperSecret@123)created within the hashicorp vault
How the Secret Engine Architecture is structured:
Vault Engine Components:
AWS, Other Cloud Providers,
KV(secrets)
Databases,
Policies,
Authentication method,
Clients (Human fetch & Match fetch)
Token: ' xyxyxyxyxyxyxxxx'

Step-16:

twtech Enables (creates) aws secret engine path:
vault secrets enable -path=aws aws

Step-17:

  •  twtech Verifies that the path to aws secrets engine is enabled (created)
vault secrets list

Step-18:

Enable (create) azure secret engine path:
vault secrets enable -path=azure azure

Step-19:

erify that the path to azure secrets engine is created:
vault secrets list

Step-20:

  •  twtech Disables unwanted Secrets Engine:
vault secrets disable  aws
vault secrets disable  twtech 
vault secrets disable  azure

Step-21:

twtech verifies that the path to azure Unwanted secrets engine is successfully disabled.
vault secrets list

Step-22:

  •  twtech lists the default secrets engines in HashiCorp Vault.

vault secrets list

twtech-Explanation:
  • This command lists all the enabled secrets engines in Vault, including the default ones.
  • By default, Vault comes with built-in secrets engines such as:
    • secret/ (KV secrets engine - v1 or v2)
    • cubbyhole/
    • identity/
    • sys/
    • auth/

Step-23:

  • twtech gets detailed output & metadata of a secrets

vault secrets list -detailed

Step-24:

  • twtech integrates the aws credentials (aws-access token) to the path of aws vault Engine (account-authentication).

vault write aws/config/root access_key=<twtech access key> secret_key=<twtech secret access key> region=us-east-2

OR:

vault write aws/config/root \

access_key=xxxxxxxxxxxxxxx \

secret_key=yyyyyyyyyyyyyyyyyyyyyyyyy \

region=us-east-2

Step-25:

  • twtech Sets roles and use them to generate dynamic secrets.

# twtech-ec2-role.sh

vault write aws/roles/twtech-ec2-role credential_type=iam_user policy_document=-<<EOF 

  "Version": "2012-10-17",  

  "Statement": [ 

        "Sid": "Stmt1426528957000", 

        "Effect": "Allow",

        "Action": [ 

        "ec2:*"

    ], 

   "Resource": [

       "*"

     ] 

   }

  ]

}

EOF

Step-26:

  •  twtech reads  Dynamic Secrets generated from roles.

vault read aws/creds/twtech-ec2-role

Step-27:

  • twtech may Revoke (destroy) any secrets no longer needed.

vault lease revoke <lease_id>

vault lease revoke aws/creds/twtech-ec2-role/asqCxdNh0NEsjfMiCAnRM0i

Token Authentication:

Policy format,

Write policy,

Test policy,

Auth Method and Policy.

twtech-insights:   HashiCorp vault policy ( Read , Write , Update … defines access or permissions levels)

Step-28:

  • twtech create Policies : 
  • Specifying the name, path & permissions of the policies:

#twtech-policy.hcl

vault policy write twtech-policy - << EOF

path "secret/data/*" {

path "sys/*" {

capabilities = ["create", "read", "update", "delete", "list"]
}

    capabilities["create", "read", "update", "delete", "list"]

}

path "secret/data/devsecops-patpat" {

   capabilities = ["create", "read", "update", "delete", "list"]

 }

path "secret/data/engineer-foncha" {

   capabilities = ["read"]

 }

path "secret/data/engineer-abunga" {

   capabilities = ["read"]

 }

EOF

Step-29:

  • twtech Lists exiting polices in Vault:  already created.

vault policy list

NB

  • twtech sometimes Create policies by running  (scripts script format must end with format .hcl)
  • twtech runs command directly on the terminal.

Step-30:

  • twtech Verifies that policy is created: twtech-policy

vault policy list

Step-31:

  • twtech reads the content of a policies: Read Vault policy details. 

 vault policy read twtech-policy

Step-32:

  • twtech Reads the content of the default policy.

vault policy read default

Step-33:

  • twtech deletes any unwanted policies in Vault.

vault policy delete <policyName>

vault policy delete twtech-policy

    •  What is Policy format ( .hcl)
    •  How twtech apply policy (respect PoLP)

Step-34:

  • twtech associates user-root-token to policy: Role-binding.

user-root-Token + policy: Root Token: hvs.HXPMtOLVYwwlJERaHIViNxxx (gives access to the Hashicorp vault) attach token to the policy:

Step-35:

  •  twtech  creates and attach token to policies.

 export VAULT_TOKEN="$(vault token create -field token -policy=twtech-policy)"

Step-36:

  • twtech writes secrets and mount them to policies.

vault kv put -mount=secret twtech-ssh-creds password="devseczzzpspat" 

From:

To:


Step-37:

  • twech verifies that users (twtech-pat & others ) are able to use their assigned roles (capabilities by writing a secret). 

vault kv put -mount=secret twtech-pat  github-pat="sidooapeiopd525466664"

Step-38:

  •  twtech Troubleshoots  policies that prevents the Creation (writing) of  secrets:
  • ( Because the right permissions were not assigned) 
  • The path to the secrete was limited to... Read-only access

vault kv put -mount=secret engineer-foncha twtech-pat="sidooapeiopd525466664"

Step-39:

  • twtech uses Auth methods and policies for external authenticafication:
  • Like gitHub, docker hub, and many more.
  • First,  List  existing Auth methods:

vault auth list

  • permission denied:

Step-40:

  • twtech troubleshoots permission denial.
  • when trying to list vault auth methods.

Steps

A. Verify Vault Status

  • Check if the Vault server is running and unsealed:

vault status

  • If it’s sealed, unseal it using the appropriate unseal keys.

B. Verify that twtech-users Are Authenticated

vault token lookup

  •  For twtech-user to troubleshoot, the must be authenticated. 
  • They need to log in appropriately as shown below. 
  • (safely without displaying the root-token) 

Token when pasted is not visible. 

vault login

Token (will be hidden): hvs.IqonxNiCM92qtbabPK6eIxxx 

C. Use Root Token (if necessary) If twtech has the initial root token, try it.

export VAULT_TOKEN=<your-root-token> vault auth list

  • If it works with the root token, it confirms  that there is a permission issue with the current token.

C. list vault policies: 

vault policy list

Step-41:

  • twtech Lists all auth methods in vault

vault auth list


NB:
  • With all the above troubleshooting steps, twtech Successfully list the auth methods again in the Hashicorp vault:

Step-42:

  •  twtech enables (creates) approle & other auth methods.

vault auth  enable approle 

Step-43:

  • twtech Verifies auth methods created.

vault auth list

Step-44:

  • twtech lists existing policies:

vault policy list

Step-45:

  •  twtech associates the auth methods (approle) with  policies (twtech-policy)

vault write auth/approle/role/twtech-role secret_id_ttl=10m token_num_uses=10 token_ttl=20m token_max_ttl=30m  secret_id_num_uses=40 token_policies=twtech-policy

# OR

vault write auth/approle/role/twtech-role \

secret_id_ttl=10m \

token_num_uses=10 \

token_ttl=20m \

token_max_ttl=30m \

secret_id_num_uses=40 \

token_policies=twtech-policy

Step-46:

  •  twtech Generates and Export Role ID
  • For external authentication, the username and password is always needed for authentication.

export ROLE_ID="$(vault read -field=role_id auth/approle/role/twtech-role/role-id)"

Step-47:

  • twtech Generate and Export Secret ID

export SECRET_ID="$(vault write -f -field=secret_id auth/approle/role/twtech-role/secret-id)"

Step-48:

  • twtech writes configuration using role id & Secret id:

vault write auth/approle/login role_id="$ROLE_ID " secret_id="$SECRET_ID "

Step-49:

  •  twtech authenticates twtech-users into the Hashicorp Environment:
  • UserNames and Passwords are replaced with individual Pat-token(personal access token) to grant them safe access into the Hashicorp vault:
  • concept of root token .
  • The root token is a string of characters needed for login into the Hashicorp Vault.
  • twtech gets the initial root-token.
  • when the vault is started it the development mode (environment), a root token is generated. 

twtech Recommendation:

  • Always copy the root-token and save it on the note-path , because it would be use severally for authentication purposes

Step-50:

  • twtech performs vault login using the root token:

vault login

  • Token (will be hidden):

Step-51:

  • twtech generates a new token if the initial root-token is lost.

vault token create

Step-52:

  • twtech verifies that the generated token is valid for login. 

vault login

  • Token (will be hidden):

Step-53:

  • twtech revokes (destroy or delete ) unwanted root tokens.
  • List all vault tokens:

vault list auth/token/accessors

  • Revoke (destroy or delete ) unwanted root tokens & try to login with the token revoked. 
  • it should give an error missage while trying to login, because token has been destroyed.

vault token revoke <Token>

Step-54:

  • twtech authenticates GitHub in hashicorp Vault,
  • Prerequisite: ( GUI) or User Interface(UI),
  • Generate github-pat (personal access token)
  • Create an organization in GitHub
  • Create teams in that organization in GitHub

UI:

  • Create a team with the organization: (Think-with-Tech)



Step-55:

  • twtech creates same organizations and same teams in Hashicorp vault .
  • Using the command line interface (CLI)
  • first, Verify that the authentication auth methods for gitHub is enabled(created):

vault auth list

Step-56:

  • twtech enables (create)  github auth method:

vault auth enable github

Step-57:

  • twtech Verifies that github auth method is enabled (created) 

vault auth list

Step-58:

  • twtech creates GitHub Organizations with CLI in vault.

vault write auth/github/config organization=Think-with-Tech

Step-59:

  •  twtech create GitHub Teams with CLI in vault.

vault write auth/github/map/teams/twtech-dev-team  values=default,application

Step-60:

  •  twtech login to vault using the github authentication method. GitHub-PAT is needed.

vault login -method=github

  • GitHub Personal Access Token (will be hidden)

Step-61:

  • twtech revokes (delete) authentication from vault.

vault token revoke -mode path auth/github 

Step-62:

  • twtech disables authentication in vault auth.

vault auth disable github

Step-63:

  • twtech verifies that authentication has been revoked:

vault auth list

  • Hashicorp Vault UI:





at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...