Set up Vault
Scenario
Danielle is on the HashiCups development team, and builds the applications and plugins which interact with Vault. They have installed the Vault binary on their computer, and can now use a Vault development (dev mode) server for development and testing.
Oliver from the operations team evaluates a self-managed Vault server, and the HashiCorp Cloud Platform (HCP) Vault Dedicated server as solutions for local user acceptance testing.
Danielle and Oliver will start and prepare their Vault servers for use, check the server status, and user their initial root token to authenticate with Vault.
Prerequisites
To complete this tutorial, you need the following:
- Vault binary installed and configured in your system PATH.
Set up the lab
Vault operates as a client-server application. The Vault server is the sole piece of the Vault architecture that interacts with the data storage and backends. All operations done using the Vault CLI interact with the server over a TLS connection.
The HashiCups team members can operate their Vault servers to achieve goals for development, testing, and pre-production.
Here are some key differences in startup and setup between each Vault server type:
Dev mode Vault | Self-managed Vault | HCP Vault Dedicated |
---|---|---|
In-memory storage backend | Configurable storage backend | Integrated storage backend |
Automatic initialization and unsealing | Requires initialization and unsealing | Automatic initialization and unsealing |
Shamir's Secret Sharing seal with a single key share | Configurable seal | Cloud auto seal |
Initial root token automatically generated or specified at runtime | Initial root token part of unseal output | No root token; generate admin tokens in HCP UI |
Choose a tab to start and prepare a dev server, self-managed server, or HCP server.
(Persona: Developer)
The dev server is a built-in, pre-configured server that is not useful for production, but is helpful if you want to use Vault in your local development environment.
Reminder: dev mode in-memory storage backend
The dev server uses an in-memory storage backend. This means that when you stop a dev server, you lose access to any data you wrote to the server.
Before you start the server, use the
vault
binary to print help with the-help
flag.Scroll to the Dev options section.
The dev server listens on the loopback interface at 127.0.0.1 on TCP port 8200 without TLS enabled by default. At runtime, the dev server also automatically unseals, and prints the unseal key and initial root token values to the standard output.
Open a terminal and start a Vault dev server with the literal string
root
as the root token value, and enable TLS.Root tokens
The dev mode server starts with an initial root token value set.
Root token use should be extremely guarded in production environments because it provides full access to the Vault server.
You can supply the root token value to start Vault in dev mode for convenience and to keep the steps here focused on the learning goals of this tutorial.
The server starts and emits startup details, and some helpful suggestions to the standard output.
1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283
The first section lists Vault server configuration details. This information is helpful to confirm that the server is operating under your desired configuration.
The second section shows server startup log output. This information relates to the operational status of the server during startup.
Since this is a dev server, Vault adds some extra helpful suggestions to the output in the third section.
You can use these suggestions to prepare your Vault client for communicating with the server.
In a new terminal, export the
VAULT_ADDR
andVAULT_CACERT
environment variables using the commands suggested in your Vault dev server output. Copy each command (without the$
) from the server output, and paste it into the new terminal session.Here is an example of the first export command that instructs the client to communicate with the dev mode server.
Here is an example of the second command to specify the certificate authority file path.
Remember to use your dev server's values, not the examples shown here.
Check the server status
Now that you have a running Vault server, you can check its status from the command line.
Open a new terminal session, and check the server status.
(Persona: developer)
Check the status of your Vault dev server.
Example output:
Authenticate with Vault
You have a running server, and have checked its status. You're ready to authenticate with Vault.
(Persona: developer)
Authenticate with Vault using the initial root token value.
Vault prompts you for the token value:
Type in the literal string root
, and press RETURN
.
Vault responds with a success message, and output containing the token value and metadata.
Root tokens
Root token use should be extremely guarded in production environments. The root token is used here for convenience and to keep the tutorial steps focused on what you'll learn.
You've started your Vault server, checked its status and authenticated with Vault. From here, you can explore Vault further on your own or clean up the environment.
What are two common environment variables used to configure the Vault CLI?
VAULT_ADDR
specifies the address of the Vault server you are trying to connect
to.
VAULT_CACERT
specifies the path to the TLS certificates used for secure
connections to Vault.
Clean up
(Persona: developer)
Use CTRL+C
to stop the server process in the terminal window where you started the server, or use this command to kill the server process from any local terminal session:
Unset environment variables.
Summary
Vault has different setup options based on your use case. Developers can run Vault in dev mode to support local testing and development against Vault. For production workloads, operations teams will need to follow the self-managed Vault setup and create a properly written configuration file. Teams can also opt for a production ready cluster managed by HashiCorp by choosing to deploy Vault Enterprise on the HashiCorp Cloud Platform (HCP).