HashiCorp Vault is an identity-based secrets and encryption management system. It provides a secure, automated way to manage secrets, credentials, and sensitive data across dynamic cloud environments.
Key capabilities:
┌──────────────────────────────────────┐
│ Vault Server │
│ ┌────────────┐ ┌─────────────────┐ │
Client ────────►│ │ Auth │ │ Secret Engines │ │
│ │ Methods │ │ - KV, PKI │ │
│ │ - Token │ │ - AWS, DB │ │
│ │ - AppRole │ │ - SSH, Transit │ │
│ │ - K8s │ └─────────────────┘ │
│ └────────────┘ │
│ ┌─────────────────────────────────┐ │
│ │ Storage Backend │ │
│ │ (Consul, Raft, S3, etcd...) │ │
│ └─────────────────────────────────┘ │
└──────────────────────────────────────┘
# macOS
brew tap hashicorp/tap
brew install hashicorp/tap/vault
# Linux (Ubuntu/Debian)
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault
docker run --rm -p 8200:8200 \
-e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' \
hashicorp/vault
# Set Vault address and token
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='myroot'
# Check status
vault status
# Write a secret
vault kv put secret/myapp username="admin" password="s3cr3t"
# Read a secret
vault kv get secret/myapp
# Read only a specific field
vault kv get -field=password secret/myapp
# List secrets
vault kv list secret/
# Delete a secret
vault kv delete secret/myapp
Vault can generate short-lived AWS credentials on demand:
# Enable the AWS secrets engine
vault secrets enable -path=aws aws
# Configure AWS credentials
vault write aws/config/root access_key=$AWS_ACCESS_KEY secret_key=$AWS_SECRET_KEY
# Create a role
vault write aws/roles/my-role credential_type=iam_user policy_arns=arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
# Generate credentials
vault read aws/creds/my-role
provider "vault" {
address = "https://vault.example.com"
}
data "vault_kv_secret_v2" "example" {
mount = "secret"
name = "myapp"
}