Hey folks!!

In this article let`s take a quick look in to Hashicorp Vault, your propose and how to deploy using DevOps tools ( Ansible and Terraform) on AWS Ec2.

What is Hashicorp Vault?

Hashicorp Vault it`s a solution to secrets management.

A secret is anything that you want to tightly control access, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

Why we need manage secrets?

The main use case is to centralize secrets management. Teams want to avoid having secrets sprawled across the infrastructure, so they use Vault to keep their management in one location. Additionally, they want to be able to have an audit log, and enforce access control list (ACL) policies on a least-privilege basis.

We can rotate credentials or generate temporary credentials, such as database credentials or IAM. Once a specific task is complete, these credentials are revoked.

How does the Vault protect data?

Vault creates an encryption key that is used to encrypt any data stored in the vault on your Storage-backend. Vault has a master key that is used to encrypt and decrypt the encryption keys. Masterkey is stored in the vault node memory, it`s not stored in persistent storage


Vault itself does not store anything. It’s a middleware, needs a storage backend. Hashicorp Vault support many storage-backends, most commons:

  • Consul
  • PostgreSQL
  • MySQL
  • Aws S3
  • FileSystem
  • Etcd
  • DynamoDB

https://www.vaultproject.io/docs/configuration/storage for more details.

For complexity reasons, in this articles we will use FileSystem as Storage-backend

Getting your hands dirty!!

Before we start, have some requirements to deploy your project:

Fortunately I already did the heavy lifting and made the content available on the Github repository:



$git clone https://github.com/matheusmaais/HashicorpVault

Put your aws key in to directory HashicorpVault.

key_name = “ PUT ONLY YOUR KEY NAME, WITHOUT .pem”

Change /PATH_TO_YOUR_KEY.pem, to ./your_key_name.pem

Only this adjust it`s necessary to the project works:


$sh deploy.sh

We will now explain how the process works:

  • Terraform will use the ec2.tf file to provision a t2.micro instance, use the output encoded in the output.tf file to create a text file inside the ./ansible directory that will contain our instance’s IP.
  • The sg.tf file will create the Security Group with the necessary ports to access the vault externally

After the server is online Ansible will take action:

  • Upgrade the server
  • Add Hashicorp Repository
  • Download and Install the Vault Binary
  • Moving Binary to Path
  • Copy vault.hcl config file (in this file, we set the filesystem as storage-backend)
  • Adding environment variables permanently
  • Reboot Machine
  • Performing the initialization and Vault Unseal
  • Copy the encryption keys and Root Token from the server to your local machine in the ./ansible directory

All actions are performed by ./ansible/vault.yml file

All Calls to Terraform and Ansible are executed in the deploy.sh script..

To destroy the entire infrastructure, simple run the command

$sh destroy.sh

How to access Vault Server and put some secrets??

We will use our own local machine to access the Vault server, for this:

* Download Vault

If you’re on mac, run the brew install vault command, if you’re on linux follow the Link tutorial below:


Once installed, lets set a environment variable, changing by your instance IP address, ex:

export VAULT_ADDR=”"

Copy the root token, placed in ./ansible/ec2IP/key.txt

Run $vault login and paste your root token.


$vault status

$vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.5.5
Cluster Name vault-cluster-6f57a99a
Cluster ID 9ca54096-5789-a906-9762-d3580b212487
HA Enabled false

Let`s enable KV engine ( key/value ) in your path demo:

$vault secrets enable -path=vaultdemo/ kv $vault secrets list ( will show the paths avaliables )$vault kv put vaultdemo/foo username=foo password=bar$vault kv get vaultdemo/foo ====== Data ======
Key Value
--- -----
password bar
username foo

To access Vault UI, put in your browser http://ec2_IP:8200