- Published on
Setting Up HashiCorp Vault for the First Time and Configuring Your Environment
- Authors
- Name
- Yair Mark
- @yairmark
Initial Setup
Unsealing Vault
HashiCorp Vault has a certain procedure to set it up. When you first install Vault on a server it is in a sealed state. You need to unseal it. The process to do this is as follows:
- Download the Vault binary applicable to your platform (the platform where you will be connecting to the server from) here
- Determine what the Vault server's IP address is
- If you are running Vault on Kubernetes you can port-forward to it using
kubectl port-forward vault-0 8200:8200 -n securitywherevault-0in this case is the name of the pod with Vault on andsecurityis the namespace that the Vault pod is running in.
- If you are running Vault on Kubernetes you can port-forward to it using
- Then to set up Vault for the first time:
export VAULT_ADDR='http://127.0.0.1:8200'
vault operator init
# Save the output somewhere, you will need 3 of the 5 keys and the root token
vault operator unseal
# paste 1 of the 5 keys
vault operator unseal
# paste 2 of the 5 keys
vault operator unseal
# paste 3 of the 5 keys
Note
- Safely Store Output of Init: The key thing here is to safely keep the output of
vault operator initsomewhere as you need it if something goes wrong with Vault - This is a none-HA setup of Vault: The above is a basic setup of Vault you need to look more into how this would look in a production environment in terms of HA
- VAULT_ADDR will differ based on server:
VAULT_ADDR: this will be the server address of where the Vault server is running. In my case as I am port-forwarding from Kubernetes I am usinglocalhost/127.0.0.1as in the example.
Environment Variable Setup for Future Interactions
Once you have Vault setup in future to interact with it you need to setup the following environment variables in your .bashrc file or in the current terminal you are working with:
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN={{vaultTokenHereNoQuotesNeeded}}
You should now be able to run operations against your version of Vault for example:
vault secret list
Trick for Dealing with Multiple Vault Servers
If you have multiple Vault servers you are interacting with you will need to change the environment variables you are using for VAULT_ADDR and VAULT_TOKEN. One useful trick for this would be to setup aliases in your .bashrc file that lets you easily switch for example:
alias set-vault-env-test-1='export VAULT_ADDR='http://127.0.0.1:8200; export VAULT_TOKEN={{vaultTest1EnvTokenHere}}'
alias set-vault-env-test-2='export VAULT_ADDR='http://127.0.0.1:8200; export VAULT_TOKEN={{vaultTest2EnvTokenHere}}'
alias set-vault-env-dev-1='export VAULT_ADDR='http://127.0.0.1:8200; export VAULT_TOKEN={{vaultDev1EnvTokenHere}}'
Now whenever you want to switch simply type:
set-vault-env-test-1
You can even tab complete from set-vault-env- to see what environments you have setup.
Warning About Storing Tokens in Your .bashrc file
Note: Be very careful never to share your .bashrc file with anyone due to the Vault tokens being stored there in environment variables. You can get around this by making a file in your home directory called .local-only and add the aliases there. Then in your .bashrc file source this file source .local-only that way you can safely share your .bashrc file (for example if you version control this on Github).