Vault - vidyasekaran/current_learning GitHub Wiki

Excerpts from HashiCorp Certified: Vault Associate

Zeals Vault document : https://docs.google.com/document/d/1Z6VWdgWPuOdX9V18PIhpzz-OOlzTCKyqze1yHKJA7jo/edit

git for the course: https://github.com/vidyasekaran/hashicorp-certified-vault-associate

https://www.vaultproject.io/

https://www.vaultproject.io/docs/what-is-vault Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing what secrets is already very difficult and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a custom solution. This is where Vault steps in.

Use Cases

»General Secret Storage - »Employee Credential Storage »API Key Generation for Scripts »Data Encryption

Installation

https://www.vaultproject.io/downloads

Added in path and VAULT_ADDR - http://127.0.0.1:8200

Accessing Vault in Server Mode

vault server -dev provides token :

You may need to set the following environment variable:

PowerShell: $env:VAULT_ADDR="http://127.0.0.1:8200" cmd.exe: set VAULT_ADDR=http://127.0.0.1:8200

The unseal key and root token are displayed below in case you want to seal/unseal the Vault or re-authenticate.

Unseal Key: PfHGND8Mm+zB+Jj2WXaYQRZRyLfqJdzB/KDYJQJaa3k= Root Token: s.ZrwfWVvvtSFykqU4BGhppTJr

Running Vault in Command line mode

Type in command line :

Set this in properties : VAULT_ADDR - http://127.0.0.1:8200

vault status (we are able to access vault in windows)

Overview of Secrets Engine - we learnt key/value secrets engine

Huge list of Secretes engine are availble - example :

https://www.vaultproject.io/docs/secrets

Overview of Dynamic Secrets

On demand secretes are generated - many vault engines

Vault needs to be integrated with Database or cloud then we can generate and send developers the credentials.

FOR AWS - access key and secret keys are required so we need to integrate vault with aws.

Generating AWS Credentials dynamically

  1. You create an AWS Engine from vault - you will provide name as "developer-access-role".

  2. Create a role - so what ever permission we want to provide or give to an user you will pick a policy json from AWS Iam policy and copy/paste here.

  3. Now Vault need to interact with AWS so it needs Access id and secret key - so crate a new user "vault_user" in AWS and add additional policy examle "admin" - Security credentials tab - create access key press button (vault will use this to generate various users). Take access key and secret key and put it in vault under configuration.

  4. Now click when a developer click on "developer-access-role" it will generate an user with the iam policy we have created in step 1.

Spring Cloud Vault with Vault integration -Spring Cloud Vault Config Example | Secrets Management | JavaTechie

https://www.youtube.com/watch?v=n0kmSftlesE

https://spring.io/guides/gs/vault-config/#initial