Getting Started with HashiCorp Vault

Getting Started with HashiCorp Vault

Hashicorp Vault is a popular tool that lets you manage secrets and other sensitive data. It acts as a central repository for storing and controlling access to various types of information, including:

  • API keys and passwords

  • Certificates

  • Encryption keys

  • Tokens

Use cases of Vault

HashiCorp Vault is a versatile tool for managing secrets and protecting sensitive data across various use cases. Some of the key use cases for HashiCorp Vault include:

  1. Secrets Management: HashiCorp Vault serves as a secure repository for sensitive information such as API keys, passwords, and database credentials. It implements strict access controls and automated rotation of secrets to mitigate the risk of unauthorized access or compromise.

  2. Data Encryption: Vault offers robust encryption mechanisms to protect data both at rest and in transit, employing a range of encryption algorithms. This feature enhances the security posture of systems by safeguarding sensitive data stored across various storage mediums, including databases and file systems.

  3. Certificate Lifecycle Management: As a centralized certificate authority, HashiCorp Vault streamlines the issuance and management of SSL/TLS certificates. By managing the entire certificate lifecycle, it ensures that certificates are only issued to authorized entities and simplifies the process of certificate renewal and revocation.

  4. Identity-Driven Access Control: Integrating with authentication systems like LDAP and Active Directory, HashiCorp Vault enables granular access control based on user identities. Through role-based access policies, users are granted access only to the specific secrets necessary for their roles or permissions, enhancing security and compliance measures.

Installing HashiCorp Vault

The following steps can be followed to install Vault on your Ubuntu machine.

sudo apt update && sudo apt install gpg wget

wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg

gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list

sudo apt update && sudo apt install vault

Running the server in development mode

vault server -dev

In a different terminal, SSH into the same instance and continue:

Exporting the vault address and vault token:

export VAULT_ADDR='ip address' 
export VAULT_TOKEN="root token"

Checking vault status:

vault status

Verifying Installation:

vault --help

Logging into the Vault:

vault login (Provide the root token when asked)

Enabling Secrets:

vault secrets enable -version=2 kv

Creating Secrets:

vault kv put kv/agent/secret username=<your_name> password=<your_password>

Retrieving the Secrets:

vault kv get kv/agent/secret

Creating sample policy:

cat << EOF | tee agent.policy 
path "kv/data/agent/*" {capabilities = ["read"]} 
EOF

To permit the agent to access the path to get the secrets and mount(add it to the agent.policy file):

path "kv/agent/secret/*" { capabilities = ["create", "read", "update", "delete", "list"] }

Re-formatting the file according to the Standard:

vault policy fmt agent.policy

Uploading the policy:

vault policy write agent agent.policy

Enabling auth method:

vault auth enable approle

Define role using role created earlier:

vault write auth/approle/role/agent policies="agent"

Get role id:

vault read auth/approle/role/agent/role-id

Display role definition:

vault read auth/approle/role/agent

Create empty secret:

vault write -force auth/approle/role/agent/secret-id

Configure login endpoint using role id and secret id:

vault write auth/approle/login \
role_id=<your-role-id> \
secret_id=<your-secret-id>

Testing the approle auth:

curl -XPOST -d '{"role_id":" ","secret_id":""}' http://<your-ip>:8200/v1/auth/approle/login

Creating a vault group:

sudo groupadd --gid 864 vault

Creating a vault user:

sudo useradd --uid 864 --gid 864 --shell /bin/false --home-dir /etc/vault.d --no-create-home vault

Create configuration directory:

sudo -u vault install --directory --group vault --owner vault --mode 700 /etc/vault.d

Create app data directory:

sudo -u vault install --directory --group vault --owner vault --mode 700 /opt/vault

Create an empty environment file:

sudo -u vault touch /etc/vault.d/vault.env

Create empty configuration:

sudo -u vault touch /etc/vault.d/vault.hcl

Prevent memory from being swapped to disk:

sudo setcap cap_ipc_lock=+ep /usr/bin/vault

Reload systemd configuration:

sudo systemctl --system daemon-reload

Inspect service status:

systemctl status vault-agent

Store role id and secret id:

echo | sudo -u vault tee /etc/vault.d/role-id 
sudo chmod 600 /etc/vault.d/role-id 
echo | sudo -u vault tee /etc/vault.d/secret-id sudo 
chmod 600 /etc/vault.d/secret-id

Create secret template:

sudo tee /etc/vault.d/secret.ctmpl << EOF {{ with secret "kv/agent/secret" -}} username = "{{ .Data.data.username }}" password = "{{ .Data.data.password }}" {{- end }} EOF

Create agent configuration. Update the systemd service to use a directory instead of a single file:

sudo -u vault tee /etc/vault.d/vault.hcl << EOF 
vault {
  address = "ip address:8200"
}

auto_auth {
  method "approle" {
    config = {
      role_id_file_path = "/etc/vault.d/role-id"
      secret_id_file_path = "/etc/vault.d/secret-id"  
      remove_secret_id_file_after_reading = false
    }
  }
}

pid_file = "/opt/vault/vault.pid"

template {
  source = "/etc/vault.d/secret.ctmpl"
  destination = "/opt/vault/secret"
}
EOF
sudo systemctl enable --now vault-agent

Running vault agent with the config file:

vault agent -config=path-to-config-file

Inspect service logs:

sudo journalctl -u vault-agent

You can use these steps to install vault agent and retreive the secrets stored as key-value pair. Now, to take this a step further, you can use the vault agent to connect to your mongodb database and get the credentials from the vault to access your database. For example:

Create a mongodb container:

docker run -d -p 27017:27017 mongo-container -e MONGO_INITDB_ROOT_USERNAME=mongoadmin -e MONGO_INITDB_ROOT_PASSWORD=secret mongo:latest

Mongodb shell installation(mongosh):

https://www.mongodb.com/docs/mongodb-shell/install/

Enable the database secrets engine if it is not already enabled:

vault secrets enable database

Configure Vault with the proper plugin and connection information:

vault write database/config/my-mongodb-database \
plugin_name=mongodb-database-plugin \
allowed_roles="my-role" \
connection_url="mongodb://mongoadmin:secret@<ip-address>:27017/admin?tls=false" \
username="mongoadmin" \
password="secret"

Configure a role that maps a name in Vault to a MongoDB command that executes and creates the database credential:

vault write database/roles/my-role \
db_name=my-mongodb-database \
creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
default_ttl="1h" \
max_ttl="24h"

Generate a new credential by reading from the /creds endpoint with the name of the role:

vault read database/creds/my-role

Attach these to the agent.policy and update the policy:

path "database/creds/my-role" { capabilities = ["create", "read", "update", "delete", "list"] }
path "database/config/my-mongodb-database/*" { capabilities = ["create", "read", "update", "delete", "list"] }

Mongodb credentials template format:

{{ with secret "database/creds/my-role" -}} 
"username": "{{ .Data.username }}", 
"password": "{{ .Data.password }}" 
{{- end }}

Now you need to update the poilcy:

vault policy write agent agent.policy
vault write auth/approle/role/agent policies="agent"

And now finally run the vault agent using the updated configuration file:

vault agent -config=path-to-config-file

You can check the path of the specified secret in the configuration file to verify.

USEFUL LINKS:

https://developer.hashicorp.com/vault/docs/secrets/databases/mongodb

https://hub.docker.com/_/mongo

https://sleeplessbeastie.eu/2022/10/17/how-to-install-vault-agent/