Skip to main content

Hashicorp Vault - Secrets & Tokens

Victoria Harbour, Hong Kong

In the previous step I installed Hashicorp Vault, configured it and unsealed it - so I am now ready to start using it:

vault status

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.8.2
Storage Type    consul
Cluster Name    vault-cluster-c09dbd91
Cluster ID      fbd3d3c4-bfed-45b3-f930-9bd1fc17c3a7
HA Enabled      true
HA Cluster      https://192.168.2.110:8201
HA Mode         active
Active Since    2021-09-14T03:54:27.968463561Z

Adding Secrets to the Consul K/V Store

Create a Secrets Engine

Add a secrets engine to the K/V store by defining the path name and type kv:

vault secrets enable -path=thisisatest -description='This is a Test!' kv
Success! Enabled the kv secrets engine at: thisisatest/

Verify that the path was generated:

vault secrets list

Path            Type         Accessor              Description
----            ----         --------              -----------
thisisatest/    kv           kv_eb9cbb20           This is a Test!

And remove the secrets engine with:

vault secrets disable thisisatest
Success! Disabled the secrets engine (if it existed) at: thisisatest/

Add a Secret

PUT: Add a secret to your secret engine:

vault kv put thisisatest/elastic_master_login password=nIgXI6mKxt3lHmtvJEgypaE
Success! Data written to: thisisatest/elastic_master_login

GET: Read a secret from your secret engine:

vault kv get thisisatest/elastic_master_login

====== Data ======
Key         Value
---         -----
password    nIgXI6mKxt3lHmtvJEgypaE

DELETE: Remove a secret from your secret engine:

vault kv delete thisisatest/elastic_master_login
Success! Data deleted (if it existed) at: thisisatest/elastic_master_login

Authentication Methods

Working with Tokens

Currently, I am using the bootstrap root token that was generated when I initialized Vault. To be able to interact with the Vault API you can create additional tokens with:

vault token create

Key                  Value
---                  -----
token                s.mP10AAvC0ZdW6WinL49rGGXX
token_accessor       JTFRs2OwKTLEDfJPIlGbHun7
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

And manually revoke them, when no longer needed:

vault token revoke s.mP10AAvC0ZdW6WinL49rGGXX
Success! Revoked token (if it existed)

Working with Username and Passwords

Activate the authentication method:

vault auth enable userpass
Success! Enabled userpass auth method at: userpass/

And add user logins to the K/V store:

vault write auth/userpass/users/manfred_mustermann password=strongpassword
Success! Data written to: auth/userpass/users/manfred_mustermann

And use the new user to login to Vault:

vault login -method=userpass username=manfred_mustermann
Password (will be hidden): strongpassword

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  s.kWg9HwLETHCVhHqivVUpnm1l
token_accessor         BCDUSKAI3pXXVDzjQKW15nG1
token_duration         768h
token_renewable        true
token_policies         ["default"]
identity_policies      []
policies               ["default"]
token_meta_username    manfred_mustermann

Working with Github Logins

Login to your Github account and create a (free) organization from the Settings/Organization tab:

HashiCorp Vault

Enable Github Auth in Vault:

vault auth enable github
Success! Enabled github auth method at: github/

And add your Github organization to Vault:

vault write auth/github/config organization=INSTAR-Deutschland
Success! Data written to: auth/github/config

Assign a default tag for the authentication token. This can later be mapped to a group policy to restrict access:

vault write auth/github/map/teams/development value=gh-policy
Success! Data written to: auth/github/map/teams/development

Add a user (that is part of your Github organization) and assign a tag for a user policy:

vault write auth/github/map/users/mpolinowski value=developer-policy
Success! Data written to: auth/github/map/users/mpolinowski

Back inside your Github Settings open the Developer tab and create a new access token:

HashiCorp Vault

HashiCorp Vault

On the Vault UI choose Github as your authentication method and paste in your generated access token to have Vault veriy that you are one of the added Github users and are part of the organization that you added to Vault:

HashiCorp Vault

And there you go:

HashiCorp Vault

List all active Auth Methods

vault auth list

Path         Type        Accessor                  Description
----         ----        --------                  -----------
github/      github      auth_github_141b7ec9      n/a
token/       token       auth_token_e36baf76       token based credentials
userpass/    userpass    auth_userpass_51025fe5    n/a

Disable methods that you no longer need:

vault auth disable github
vault auth disable userpass