In this article let`s take a quick look in to Hashicorp Vault, your propose and how to deploy using DevOps tools ( Ansible and Terraform) on AWS Ec2.
What is Hashicorp Vault?
Hashicorp Vault it`s a solution to secrets management.
A secret is anything that you want to tightly control access, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.
Why we need manage secrets?
The main use case is to centralize secrets management. Teams want to avoid having secrets sprawled across the infrastructure, so they use Vault to keep their management in one location. Additionally, they want to be able to have an audit log, and enforce access control list (ACL) policies on a least-privilege basis.
We can rotate credentials or generate temporary credentials, such as database credentials or IAM. Once a specific task is complete, these credentials are revoked.
How does the Vault protect data?
Vault creates an encryption key that is used to encrypt any data stored in the vault on your Storage-backend. Vault has a master key that is used to encrypt and decrypt the encryption keys. Masterkey is stored in the vault node memory, it`s not stored in persistent storage
Vault itself does not store anything. It’s a middleware, needs a storage backend. Hashicorp Vault support many storage-backends, most commons:
- Aws S3
https://www.vaultproject.io/docs/configuration/storage for more details.
For complexity reasons, in this articles we will use FileSystem as Storage-backend
Getting your hands dirty!!
Before we start, have some requirements to deploy your project:
- All actions were performed on MacOS, but they certainly work in a Linux environment
- Aws account with a programatic user and AWS Access Key ID, AWS Secret Key ID AWS CLI installed on your local machine Aws Key Pair
Fortunately I already did the heavy lifting and made the content available on the Github repository:
Put your aws key in to directory HashicorpVault.
key_name = “ PUT ONLY YOUR KEY NAME, WITHOUT .pem”
Change /PATH_TO_YOUR_KEY.pem, to ./your_key_name.pem
Only this adjust it`s necessary to the project works:
We will now explain how the process works:
- Terraform will use the ec2.tf file to provision a t2.micro instance, use the output encoded in the output.tf file to create a text file inside the ./ansible directory that will contain our instance’s IP.
- The sg.tf file will create the Security Group with the necessary ports to access the vault externally
After the server is online Ansible will take action:
- Upgrade the server
- Add Hashicorp Repository
- Download and Install the Vault Binary
- Moving Binary to Path
- Copy vault.hcl config file (in this file, we set the filesystem as storage-backend)
- Adding environment variables permanently
- Reboot Machine
- Performing the initialization and Vault Unseal
- Copy the encryption keys and Root Token from the server to your local machine in the ./ansible directory
All actions are performed by ./ansible/vault.yml file
All Calls to Terraform and Ansible are executed in the deploy.sh script..
To destroy the entire infrastructure, simple run the command
How to access Vault Server and put some secrets??
We will use our own local machine to access the Vault server, for this:
* Download Vault
If you’re on mac, run the brew install vault command, if you’re on linux follow the Link tutorial below:
Once installed, lets set a environment variable, changing 22.214.171.124 by your instance IP address, ex:
Copy the root token, placed in ./ansible/ec2IP/key.txt
Run $vault login and paste your root token.
Seal Type shamir
Total Shares 5
Cluster Name vault-cluster-6f57a99a
Cluster ID 9ca54096-5789-a906-9762-d3580b212487
HA Enabled false
Let`s enable KV engine ( key/value ) in your path demo:
$vault secrets enable -path=vaultdemo/ kv $vault secrets list ( will show the paths avaliables )$vault kv put vaultdemo/foo username=foo password=bar$vault kv get vaultdemo/foo ====== Data ======
To access Vault UI, put in your browser http://ec2_IP:8200
OK, Vault deployed and works fine!!
That was a brief introduction to the Hashicorp Vault, I hope you enjoyed it! See you !!
— — — — — — — — — -