Hashicorp Vault is a popular tool that lets you manage secrets and other sensitive data. It acts as a central repository for storing and controlling access to various types of information, including:
API keys and passwords
Certificates
Encryption keys
Tokens
Use cases of Vault
HashiCorp Vault is a versatile tool for managing secrets and protecting sensitive data across various use cases. Some of the key use cases for HashiCorp Vault include:
Secrets Management: HashiCorp Vault serves as a secure repository for sensitive information such as API keys, passwords, and database credentials. It implements strict access controls and automated rotation of secrets to mitigate the risk of unauthorized access or compromise.
Data Encryption: Vault offers robust encryption mechanisms to protect data both at rest and in transit, employing a range of encryption algorithms. This feature enhances the security posture of systems by safeguarding sensitive data stored across various storage mediums, including databases and file systems.
Certificate Lifecycle Management: As a centralized certificate authority, HashiCorp Vault streamlines the issuance and management of SSL/TLS certificates. By managing the entire certificate lifecycle, it ensures that certificates are only issued to authorized entities and simplifies the process of certificate renewal and revocation.
Identity-Driven Access Control: Integrating with authentication systems like LDAP and Active Directory, HashiCorp Vault enables granular access control based on user identities. Through role-based access policies, users are granted access only to the specific secrets necessary for their roles or permissions, enhancing security and compliance measures.
Installing HashiCorp Vault
The following steps can be followed to install Vault on your Ubuntu machine.
sudo apt update && sudo apt install gpg wget
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault
Running the server in development mode
vault server -dev
In a different terminal, SSH into the same instance and continue:
Exporting the vault address and vault token:
export VAULT_ADDR='ip address'
export VAULT_TOKEN="root token"
Checking vault status:
vault status
Verifying Installation:
vault --help
Logging into the Vault:
vault login (Provide the root token when asked)
Enabling Secrets:
vault secrets enable -version=2 kv
Creating Secrets:
vault kv put kv/agent/secret username=<your_name> password=<your_password>
Retrieving the Secrets:
vault kv get kv/agent/secret
Creating sample policy:
cat << EOF | tee agent.policy
path "kv/data/agent/*" {capabilities = ["read"]}
EOF
To permit the agent to access the path to get the secrets and mount(add it to the agent.policy file):
path "kv/agent/secret/*" { capabilities = ["create", "read", "update", "delete", "list"] }
Re-formatting the file according to the Standard:
vault policy fmt agent.policy
Uploading the policy:
vault policy write agent agent.policy
Enabling auth method:
vault auth enable approle
Define role using role created earlier:
vault write auth/approle/role/agent policies="agent"
Get role id:
vault read auth/approle/role/agent/role-id
Display role definition:
vault read auth/approle/role/agent
Create empty secret:
vault write -force auth/approle/role/agent/secret-id
Configure login endpoint using role id and secret id:
vault write auth/approle/login \
role_id=<your-role-id> \
secret_id=<your-secret-id>
Testing the approle auth:
curl -XPOST -d '{"role_id":" ","secret_id":""}' http://<your-ip>:8200/v1/auth/approle/login
Creating a vault group:
sudo groupadd --gid 864 vault
Creating a vault user:
sudo useradd --uid 864 --gid 864 --shell /bin/false --home-dir /etc/vault.d --no-create-home vault
Create configuration directory:
sudo -u vault install --directory --group vault --owner vault --mode 700 /etc/vault.d
Create app data directory:
sudo -u vault install --directory --group vault --owner vault --mode 700 /opt/vault
Create an empty environment file:
sudo -u vault touch /etc/vault.d/vault.env
Create empty configuration:
sudo -u vault touch /etc/vault.d/vault.hcl
Prevent memory from being swapped to disk:
sudo setcap cap_ipc_lock=+ep /usr/bin/vault
Reload systemd configuration:
sudo systemctl --system daemon-reload
Inspect service status:
systemctl status vault-agent
Store role id and secret id:
echo | sudo -u vault tee /etc/vault.d/role-id
sudo chmod 600 /etc/vault.d/role-id
echo | sudo -u vault tee /etc/vault.d/secret-id sudo
chmod 600 /etc/vault.d/secret-id
Create secret template:
sudo tee /etc/vault.d/secret.ctmpl << EOF {{ with secret "kv/agent/secret" -}} username = "{{ .Data.data.username }}" password = "{{ .Data.data.password }}" {{- end }} EOF
Create agent configuration. Update the systemd service to use a directory instead of a single file:
sudo -u vault tee /etc/vault.d/vault.hcl << EOF
vault {
address = "ip address:8200"
}
auto_auth {
method "approle" {
config = {
role_id_file_path = "/etc/vault.d/role-id"
secret_id_file_path = "/etc/vault.d/secret-id"
remove_secret_id_file_after_reading = false
}
}
}
pid_file = "/opt/vault/vault.pid"
template {
source = "/etc/vault.d/secret.ctmpl"
destination = "/opt/vault/secret"
}
EOF
sudo systemctl enable --now vault-agent
Running vault agent with the config file:
vault agent -config=path-to-config-file
Inspect service logs:
sudo journalctl -u vault-agent
You can use these steps to install vault agent and retreive the secrets stored as key-value pair. Now, to take this a step further, you can use the vault agent to connect to your mongodb database and get the credentials from the vault to access your database. For example:
Create a mongodb container:
docker run -d -p 27017:27017 mongo-container -e MONGO_INITDB_ROOT_USERNAME=mongoadmin -e MONGO_INITDB_ROOT_PASSWORD=secret mongo:latest
Mongodb shell installation(mongosh):
https://www.mongodb.com/docs/mongodb-shell/install/
Enable the database secrets engine if it is not already enabled:
vault secrets enable database
Configure Vault with the proper plugin and connection information:
vault write database/config/my-mongodb-database \
plugin_name=mongodb-database-plugin \
allowed_roles="my-role" \
connection_url="mongodb://mongoadmin:secret@<ip-address>:27017/admin?tls=false" \
username="mongoadmin" \
password="secret"
Configure a role that maps a name in Vault to a MongoDB command that executes and creates the database credential:
vault write database/roles/my-role \
db_name=my-mongodb-database \
creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
default_ttl="1h" \
max_ttl="24h"
Generate a new credential by reading from the /creds endpoint with the name of the role:
vault read database/creds/my-role
Attach these to the agent.policy and update the policy:
path "database/creds/my-role" { capabilities = ["create", "read", "update", "delete", "list"] }
path "database/config/my-mongodb-database/*" { capabilities = ["create", "read", "update", "delete", "list"] }
Mongodb credentials template format:
{{ with secret "database/creds/my-role" -}}
"username": "{{ .Data.username }}",
"password": "{{ .Data.password }}"
{{- end }}
Now you need to update the poilcy:
vault policy write agent agent.policy
vault write auth/approle/role/agent policies="agent"
And now finally run the vault agent using the updated configuration file:
vault agent -config=path-to-config-file
You can check the path of the specified secret in the configuration file to verify.
USEFUL LINKS:
https://developer.hashicorp.com/vault/docs/secrets/databases/mongodb
https://hub.docker.com/_/mongo
https://sleeplessbeastie.eu/2022/10/17/how-to-install-vault-agent/