How twtech Creates Users, Policies, Groups, Secrets, Login Credentials & Store on Hashicorp Vualt from UI | Overview & Hands-On.

An overview of how to create users, policies, groups, and secrets in HashiCorp Vault using the UI.

Focus:

• Tailored for Devops, DevSecOps, Cloud Engineers.

Breakdown:

• Step-by-step guide,
• Login to Vault UI,
• Enable & Create Users (Userpass Auth Method),
• Create Policies,
• Create Groups (For External Identity Providers like LDAP, OIDC),
• Enable Secrets Engine,
• Store Credentials in KV Secrets Engine,
• Access the Vault server, (CLI) and create passwords for users created.

Step-by-step guide:

 1. Login to Vault UI

• Open your browser and navigate to your Vault UI (usually http://<vault-address>:8200).
• Login using your root token or an auth method like username/password, GitHub, LDAP, etc.

2. Enable & Create Users (Userpass Auth Method)

a. Enable userpass Auth Method

• Go to Access > Auth Methods.
• Click Enable new method.
• Choose Userpass from the list.
• Set a path (or leave it as userpass/) and click Enable Method.

b. Create a User

• After enabling, click into the Userpass method.
• Click Create User.
• Enter:
• Username
• Password
• Policies (assign existing policies)
• Click Create User.

3. Create Policies

• Go to Access > Policies.
• Click Create Policy.
• Enter:
• Name of the policy.
• Policy Code using HCL or JSON (this defines access permissions).
• Example HCL policy to allow read/write to a secret path:

path "secret/data/*" {

      capabilities = ["create", "read", "update", "delete", "list"]

}

path "sys/*" {

    capabilities = ["create", "read", "update", "delete", "list"]
}

path "secret/data/engineer-foncha" { 

   capabilities = ["create", "read", "update", "delete", "list"]

 }

path "secret/data/engineer-patpat" {

   capabilities = ["read"]

 }

# Click Create Policy.

 4. Create Groups (For External Identity Providers like LDAP, OIDC)

• Go to Access > Groups.
• Click Create Group.
• Provide:
• Group Name
• Type Internal (custom-users) or External (cloudbase,gitHub,…)
• Assign Policies
• Add Group Members (for internal groups)
• Click Create Group.

5. Enable Secrets Engine

• Go to Secrets > Secrets Engines.
• Click Enable new engine.
• Select the secret engine type (e.g., KV - Key/Value v2).
• Set a mount path (e.g., secret/, twtech-secrets ) and click Enable Engine.

6. Store Credentials in KV Secrets Engine 

• Go to Secrets > secret/ (or your custom mount path).
• Click Create Secret.
• Enter:
• Secret path (e.g., twtech-secrets/credentials)
• Key/Value pairs (e.g., username, password)
• Click Save.

7. Access the Vault server, (CLI) to create passwords for users (engineer-foncha, engineer-patpat)

# Set up the environmental variables to access the CLI, & refresh twtech-Vault server.

echo "export VAULT_ADDR='https:// 127.0.0.1:8200:8200'" >> ~/.bashrc

source ~/.bashrc

#Set up  environmental variable for the vault token:

 export VAULT_TOKEN="twtech-root-token"

# Set up the password for the accounts.

vault write auth/userpass/users/engineer-foncha password="twtech123"

twtech-Test Access

• Login with the new user credentials ( engineer-foncha)  and verify that engineer-foncha can only access what is allowed by the assigned policies.

Addendum:

twtech also create a log tracking file:  (/var/log/vault_audit.json). This tracks activities of all users accessing the vault. This includes, what users have done, what they tried to do by were denied access, their IPaddresses…. and much more.

Project: Hands-On

• Login using twtech root token or an auth method like username/password, GitHub, LDAP, etc.

• Click on create secret:(Secret Engines)

• Create the path to secrets for twtech Webserver-Team

• Verify all Secrets created by : (CLI & GUI)

• Create twtech-polices to define tasks that groups and users in the groups can perform.

• Add ACL Policies ( these can be uploaded as files or written)

• How twtech assigns Permissions to  twtech-webserver Team.

• Verify the Created  & existing default polices.

• Create group authentication methods:

• Create twtech-groups.
• Choose type (custom base like twtech = internal or cloud base like aws, azure, gcp, github = external)

• Verify twtech-groups created and existing groups:

• Enable the authentication methods. (userpass auth methods is needed to create users)
• We want to create username (entities)

• twtech Selected choice  of auth methods for this project: Enable an Authentication Method

• verify the created and exiting auth methods

• Create the twtech-user accounts (entities)

• Create aliases (name of user or entities ). Multiple accounts can be created here for single sign-ons

Aliases:

NB:

Here, twtech-user (engineer-foncha) is inheriting the twtech-new-policy (assigned to twtech-admin-groups)

• Assign group(twtech-admin-group) with twtech-users 

• Go to members: edit (assign member to group).

• Assign engineer-foncha twtech-admin-group

• Select member entity IDs and assign them to teams created:

How twtech adds passwords  twtech-users.  engineer-foncha

NB:

UI does not support creating password for twtech-users. twtech-Users passwords must be created using CLI.

To create passwords for user, twtech requires the CLI:

Set up the environmental variables to access the CLI with hashicorp vault PubIPaddress, & refresh server.

echo "export VAULT_ADDR='https:// 127.0.0.1:8200:8200'" >> ~/.bashrc

source ~/.bashrc

Set up  environmental variable for the vault token:

 export VAULT_TOKEN="twtech-root-token"

Set up the password for the accounts.

vault write auth/userpass/users/engineer-foncha password="twtech123"

Access the GUI with the created accounts and passwords, and verify that he can only access what is allowed by their assigned policies.

Project Successfully accomplished.

twtech-insights:

• Based on the twtech-new-policies that is attached to twtech-admin-group, for which engineer-foncha is a member of, he can also create, read, update, delete and list components within the Hashicorp Vault.