HashiCorp Vault's free tier : how do we use it with an example - unix1998/technical_notes GitHub Wiki

With HashiCorp Vault's free tier (open-source version), you can set up a local server. However, HashiCorp's remote SaaS service, Vault Cloud, is not available for free; it is a commercial offering.

Setting Up a Local Vault Server (Open Source)

Here's how to set up a local Vault server:

1. Install Vault:

   • Download and install Vault from the official HashiCorp website.

   wget https://releases.hashicorp.com/vault/1.10.3/vault_1.10.3_linux_amd64.zip
   unzip vault_1.10.3_linux_amd64.zip
   sudo mv vault /usr/local/bin/
   

2. Start the Vault Server:

   • Start Vault in development mode (suitable for testing and development purposes).

   vault server -dev
   

   • This will output the address and the root token to access the Vault server.

3. Initialize and Unseal the Vault:

   • In production, you would need to initialize and unseal the Vault. For the development server, it’s already unsealed.

   export VAULT_ADDR='http://127.0.0.1:8200'
   export VAULT_TOKEN='your-root-token'  # This is printed when you start the server in dev mode
   

4. Enable and Configure the AWS Secrets Engine:

   • Enable the AWS secrets engine and configure it with your AWS credentials.

   vault secrets enable -path=aws aws
   
   vault write aws/config/root \
       access_key=your-access-key-id \
       secret_key=your-secret-access-key \
       region=us-west-2
   

5. Create a Role in Vault:

   • Define a role to specify the AWS IAM policies.

   vault write aws/roles/my-role \
       credential_type=iam_user \
       policy_document=-<<EOF
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": "ec2:*",
         "Resource": "*"
       }
     ]
   }
   EOF
   

6. Integrate with Terraform:

   • Use the Vault provider in Terraform to fetch AWS credentials dynamically.

   provider "vault" {
     address = "http://127.0.0.1:8200"
   }
   
   data "vault_generic_secret" "aws" {
     path = "aws/creds/my-role"
   }
   
   provider "aws" {
     access_key = data.vault_generic_secret.aws.data["access_key"]
     secret_key = data.vault_generic_secret.aws.data["secret_key"]
     region     = "us-west-2"
   }
   

Vault Cloud (HashiCorp SaaS)

If you are interested in a managed service, HashiCorp offers Vault Cloud, but it is a commercial product with no free tier. Vault Cloud provides a hosted, managed Vault service with additional enterprise features, support, and operational ease.

Conclusion

For free usage, setting up a local Vault server using the open-source version is the way to go. This setup will give you access to Vault's core functionalities, including secret management and integration with Terraform, suitable for development and small-scale production environments.