- Download vault
wget https://dl.bintray.com/mitchellh/vault/vault_0.2.0_linux_386.zip
-
Create and edit config
- Create config
vim config.hcl
- Edit config
backend "consul" { address = "127.0.0.1:8500" path = "vault" } listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 }
-
Allow connections via iptables
#For development server only
sudo iptables --flush
- Start Vault server
vault server --config config.hcl
- Setup vault server address on vault client
export VAULT_ADDR='http://192.168.0.3:7000'
- Initiate vault server from vault client
vault init
Now save the keys genrated by the vault init command. By default it will give you a five keys and you need any three keys in any combination to unseal the vault.
#Example output of init
Key 1: f49b313ee82b42c3b556eb2e516a4e5d285f582dec30411291998c0774b7766501
Key 2: 6e0144bd867eb3a771aba43dd6f8b3550134c539f3ab48eb5babf58ba639d75b02
Key 3: 5bd7eb55d3b289981840db0f9d45462dc8ffcd2de433a2644d22b60afdb59e9903
Key 4: bd147bb6b9a63fde7ad0e151eaaa62f3857b4399730ec6a6c9837dccda3b07d304
Key 5: 88c2d45eec6a05e1133b9e63a117978b4cb04b8d64962c29df0a3e4d81b74e1105
Initial Root Token: 82005f2f-43ff-898d-8202-ee58a4a5b409
Token 78bfbbcf-9eb5-f1d0-c56f-945d8b6d1bdf
- Unseal the vault
vault unseal <key1>
vault unseal <key2>
vault unseal <key3>
Now you have unlocked your vault with three keys
vault auth <token-id>
#Get this kind of response
Successfully authenticated! The policies that are associated
with this token are listed below:
root
#use the token id of root access
#create policies and then generate new token with that policies try not to generate any root token
- Creating policies
#acl.hcl
path "secret/*" {
policy = "write"
}
path "secret/foo" {
policy = "read"
}
vault policy-write secret acl.hcl
- Creating token with policy
vault token-create -policy="secret"