devops-basics

1. What is HashiCorp Vault?

Overview

HashiCorp Vault is an identity-based secrets and encryption management system. It provides a secure, automated way to manage secrets, credentials, and sensitive data across dynamic cloud environments.

Key capabilities:

Vault Architecture

                ┌──────────────────────────────────────┐
                │              Vault Server             │
                │  ┌────────────┐  ┌─────────────────┐ │
Client ────────►│  │  Auth      │  │  Secret Engines │ │
                │  │  Methods   │  │  - KV, PKI      │ │
                │  │  - Token   │  │  - AWS, DB      │ │
                │  │  - AppRole │  │  - SSH, Transit │ │
                │  │  - K8s     │  └─────────────────┘ │
                │  └────────────┘                       │
                │  ┌─────────────────────────────────┐  │
                │  │        Storage Backend          │  │
                │  │  (Consul, Raft, S3, etcd...)    │  │
                │  └─────────────────────────────────┘  │
                └──────────────────────────────────────┘

Official Documentation

2. Prerequisites

3. Installation

Install Vault CLI

# macOS
brew tap hashicorp/tap
brew install hashicorp/tap/vault

# Linux (Ubuntu/Debian)
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault

Run Vault in Dev Mode (Docker)

docker run --rm -p 8200:8200 \
  -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' \
  hashicorp/vault

4. Basics of Vault

Vault Hello World

Common Vault Commands

# Set Vault address and token
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='myroot'

# Check status
vault status

# Write a secret
vault kv put secret/myapp username="admin" password="s3cr3t"

# Read a secret
vault kv get secret/myapp

# Read only a specific field
vault kv get -field=password secret/myapp

# List secrets
vault kv list secret/

# Delete a secret
vault kv delete secret/myapp

5. Beyond the Basics

Dynamic Secrets (AWS)

Vault can generate short-lived AWS credentials on demand:

# Enable the AWS secrets engine
vault secrets enable -path=aws aws

# Configure AWS credentials
vault write aws/config/root access_key=$AWS_ACCESS_KEY secret_key=$AWS_SECRET_KEY

# Create a role
vault write aws/roles/my-role credential_type=iam_user policy_arns=arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess

# Generate credentials
vault read aws/creds/my-role

Vault with Kubernetes

Vault with Terraform

provider "vault" {
  address = "https://vault.example.com"
}

data "vault_kv_secret_v2" "example" {
  mount = "secret"
  name  = "myapp"
}

Hands-On Examples

6. More

Vault Cheatsheet