https://developer.hashicorp.com/vault
The leading open source secrets manager.
- stores credentials / secrets / keys / passwords / certificates / API keys
- detailed audit log
- key rolling
- encrypts before writing to disk / consul
- dynamic secrets - AWS backend generates IAM access keys on demand for accessing S3 bucket + revoke them after script finishes - Database backend generates on-demand, time-limited credentials
- data encryption - standard call for apps to encrypt without worrying about the mechanism, eg. before storing to SQL
- revocation - revoke single or whole tree of secrets, or all keys accessible by a user or all keys of a type (useful for leavers, rolling, intrusion lock downs)
- HA - takes lock on storage - Consul (recommended) - ZooKeeper - Etcd
- Auth - AWS, GCP, K8S, Github, Okta, Radius, Tokens, TLS Certs, Username + Pw
- Authz policies
- Audit - file, socket, syslog - at least one configured audit device must succeed to complete request
- single static binary (put in $PATH eg. /usr/local/bin)
- cross DC replication
- UI
- Hashicorp Sentinel policies integration
- AWS / GCP KMS auto unseal
- HSM support
brew tap hashicorp/tap
brew install hashicorp/tap/vaultAdds the entry complete -C /opt/homebrew/bin/vault vault to your ~/.bash_profile:
complete -C /opt/homebrew/bin/vault vaultRestart your shell as a full login shell:
exec bash -lIf the VAULT_* environment variables
are set, the autocompletion will automatically query the Vault server and return helpful argument suggestions.
Set the following environment variables
export VAULT_ADDR="https://vault.$MYDOMAIN"export VAULT_TOKEN=...
Run in RAM without TLS (still encrypts data):
vault server -devPrints out root token + unseal key + VAULT_ADDR environment variable.
https://developer.hashicorp.com/vault/docs/commands
vault statussecret/prefix handler tells Vault which secret engine to route to (secret/=>kvengine)
For prod use files or STDIN to avoid storing secret values in shell history:
vault write secret/blah value=test value2=test2vault list secretsvault read secret/blahvault read -format=json | jq -r .data.value2vault read -field=value2 secret/blahvault delete secret/blahDefault <handler>/ path is same as secrets engine name:
vault secrets enable [-path=kv] kvvault secrets listShow's vault's contents:
vault list kvDisable by <handler>/ path:
vault disable /kvvault login "$VAULT_TOKEN"vault auth enable [-path=github] githubAuth backends are always prefix with auth/<name>
Configure backend to auth to hashicorp GitHub organisation:
vault write auth/github/config organisation=hashicorpvault auth listShow config options:
vault auth help githubvault auth help awsvault auth help userpassvault auth help tokenvault login -method=githubRevoke logins from GitHub:
vault token revoke -mode path auth/githubRemove GitHub authentication completely
vault auth disable githubhttps://github.com/hashicorp/vault-action
https://developer.hashicorp.com/vault/tutorials/auto-unseal/autounseal-aws-kms
Create an ACL policy in Vault at $VAULT_URL/ui/vault/policies/acl with the following contents (HCL format):
path "<engine_name>/data/<folders>/<secret>" {
capabilities = ["read", "list"]
}(the /data/ part of the path is important and part of the API call, you cannot omit it otherwise you will get API
errors like forbidden or not found)
Then reference it in the Kubernetes deployment.yaml with the following annotations:
spec:
template:
metadata:
annotations:
vault.security.banzaicloud.io/vault-addr: <VAULT_HTTPS_URL>
vault.security.banzaicloud.io/vault-path: </path/to/secret>
vault.security.banzaicloud.io/vault-role: <role_you_created>
#vault.security.banzaicloud.io/vault-skip-verify: "true" # try not to do thisor rather Helm templated out via values-<env>.yamlbecause this is likely to be different per environment.