Cheat Sheet #day34 - HashiCorp Vault

HashiCorp Vault Cheatsheet

Basic Concepts

• Vault: A tool for securely storing and accessing secrets.

• Secrets: Sensitive data like API keys, passwords, certificates, etc.

• Policies: Rules that define what actions users can perform on secrets.

• Authentication Methods: Ways to verify a user's identity (e.g., tokens, LDAP, GitHub).

• Backends: Storage backends (where data is stored) and secrets backends (how data is managed).

Starting Vault

1. Install Vault:

   • Download Vault

   • Install using package manager (e.g., brew install vault for macOS).

2. Start Vault Server:

    vault server -dev
   

3. Export Address and Token:

    export VAULT_ADDR='http://127.0.0.1:8200'
    export VAULT_TOKEN='your-root-token'
   

Basic Commands

• Initialize Vault:

    vault operator init
  

• Unseal Vault:

    vault operator unseal <Unseal Key 1>
    vault operator unseal <Unseal Key 2>
    vault operator unseal <Unseal Key 3>
  

• Check Vault Status:

    vault status
  

Authentication

• Login with Token:

    vault login <your-root-token>
  

• Enable Authentication Method (e.g., Userpass):

    vault auth enable userpass
  

• Create User (Userpass):

    vault write auth/userpass/users/<username> password=<password> policies=<policy>
  

Secrets Management

1. Enable a Secrets Engine:

    vault secrets enable -path=secret kv
   

2. Write a Secret:

    vault kv put secret/my-secret key1=value1 key2=value2
   

3. Read a Secret:

    vault kv get secret/my-secret
   

4. List Secrets:

    vault kv list secret/
   

5. Delete a Secret:

    vault kv delete secret/my-secret
   

Policies

1. Create a Policy:

    path "secret/*" {
      capabilities = ["create", "read", "update", "delete", "list"]
    }
   

2. Write a Policy:

    vault policy write my-policy my-policy.hcl
   

3. Attach Policy to a Token:

    vault token create -policy=my-policy
   

Tokens

1. Create a Token:

    vault token create
   

2. Revoke a Token:

    vault token revoke <token>
   

3. Lookup Token:

    vault token lookup <token>
   

Dynamic Secrets

1. Enable Database Secrets Engine:

    vault secrets enable database
   

2. Configure Database Connection:

    vault write database/config/my-database \
      plugin_name=mysql-database-plugin \
      connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \
      allowed_roles="my-role" \
      username="root" \
      password="root-password"
   

3. Create a Role for Dynamic Secrets:

    vault write database/roles/my-role \
      db_name=my-database \
      creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \
                          GRANT SELECT ON my-database.* TO '{{name}}'@'%';" \
      default_ttl="1h" \
      max_ttl="24h"
   

4. Generate Dynamic Secrets:

    vault read database/creds/my-role
   

Auditing

1. Enable Audit Device:

    vault audit enable file file_path=/var/log/vault_audit.log
   

2. List Audit Devices:

    vault audit list
   

3. Disable Audit Device:

    vault audit disable <audit-path>
   

Useful Commands

• Help:

    vault help
  

• Version:

    vault version
  

• License:

    vault license status
  

Tips and Tricks

• Environment Variables:

  • Use VAULT_ADDR and VAULT_TOKEN to avoid passing parameters with every command.

• Alias:

  • Create command aliases for frequent tasks to speed up your workflow.

• Scripting:

  • Automate Vault operations using shell scripts for repetitive tasks.

• Security:

  • Always follow security best practices such as enabling TLS, rotating secrets, and limiting access through policies.

---

HashiCorp Vault is a robust tool for managing secrets and protecting sensitive data. This cheatsheet provides a quick reference to its core functionalities, helping you to leverage Vault effectively in your security and secrets management tasks.