Vault Practice
Exercises
Exercise 1: KV Secrets Engine
- Start Vault in dev mode
- Enable the
kv-v2 secrets engine at path secret/
- Store database credentials (host, port, username, password) under
secret/database/postgres
- Read them back using
vault kv get
- Update the password and verify the new version is stored
- Roll back to version 1
Reference: https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2
Exercise 2: AppRole Authentication
- Enable the AppRole auth method
- Create a policy that allows read access to
secret/data/myapp/*
- Create a role with that policy attached
- Retrieve a
role_id and generate a secret_id
- Login using AppRole to get a token
- Use that token to read a secret
Reference: https://developer.hashicorp.com/vault/docs/auth/approle
Exercise 3: Vault with Kubernetes (Vault Agent Injector)
- Install Vault on a local Kubernetes cluster using Helm
- Configure Kubernetes authentication in Vault
- Deploy the Vault Agent Injector
- Create a sample app with Vault annotations to inject a secret as a file
- Verify the secret appears in
/vault/secrets/ inside the pod
Reference: https://developer.hashicorp.com/vault/docs/platform/k8s/injector
Exercise 4: Dynamic Database Credentials
- Start a PostgreSQL container
- Enable the database secrets engine in Vault
- Configure Vault with PostgreSQL connection details
- Create a role that generates short-lived credentials
- Generate credentials and connect to PostgreSQL
- Observe that the credentials expire automatically
Reference: https://developer.hashicorp.com/vault/docs/secrets/databases/postgresql
Exercise 5: Transit Secrets Engine (Encryption as a Service)
- Enable the transit secrets engine
- Create an encryption key named
my-key
- Encrypt a plaintext string via the API
- Decrypt it back to verify round-trip
- Rotate the key and verify existing ciphertext can still be decrypted
Reference: https://developer.hashicorp.com/vault/docs/secrets/transit