Setting Up HashiCorp Vault

TLDR: This was a pretty simple setup and they have good documentation. I messed up by not paying attention to variables and such.

I guess you're wondering why I tried this? Vault is something that I've been hearing about a lot more when doing my devops work and I can't say I understand it. Per usual I like knowing about more about software and things that I use in my work. I was talking to my friend @estplo.it and he asked if I would stream my "setup and testing". The livestream is here, but I ended up stopping early not knowing what my problem was or how long I'd spin my wheels.

I'm going to write up how you too can run Vault from a server, connect from your local machine, talk about where I went wrong, and what I learned.

Setup Instructions

1. Setup a ubuntu server that is 1GB/ 250 MB
2. Update your server
3. Run the commands you find here. If you can successfully run vault I'm going to start deviating to my instructions.
4. Go back to where your server is and update your firewall. For ingress you should have the following ports: 22, 80, 443, and 8200
5. log back into your server and run mkdir -p ./vault/data
6. create a config.hcl file with the detail from the next section
7. run vault server -config=config.hcl
8. close your terminal to your server (don't cmd-c the vault server)
9. on your local machine install vault using the instructions here
10. run vault status
11. run export VAULT_ADDR=<server-ip>:8200
12. run vault operator init
13. copy the details to a txt file or your password manager
14. Now run vault operator unseal and use one of the unseal keys
15. Run step 14 2 more times, but use different unseal keys
16. run vault status again and verify sealed = false
17. Run vault login and insert your token. Also run export VAULT_TOKEN=<token>
18. Celebrate! your done and now shouldn't have any of my errors connecting to your vault instance.

Config.HCL

storage "raft" {
  path    = "./vault/data"
  node_id = "node1"
}

listener "tcp" {
  address     = "<server-ip>:8200"
  tls_disable = "true"
}

disable_mlock = true

api_addr = "http://<server-ip>:8200"
cluster_addr = "https://<server-ip>:8201"
ui = true

What I learned

So I made a lot of simple mistakes here and 99% of it was just me not reading. So here are things I think are important to highlight if you're looking to get started.

1. Double check your token value

When I couldn't get things working I should have known a 403 was a Auth error. I was so into thinking I did my firewall setup wrong that I didn't really think about anything else. My API calls didn't work because I was using the wrong token.

2. Keep the UI to true

The UI really saved me. Once I was like "let me see if it works then everything really clicked for me. I literally thought "fam, your dumb, you never changed your key from the first time. So when in doubt, check the UI.

3. Write policies from the UI

Off stream I was trying to write a policy and I didn't like the command line way (because I'm me). I think it's easier to write your policies form the UI. A lot of times GUIs reduce stress and I think most sys admin folks forget about that.

4. After setup really study the setup

I do a thing where I reflect on how the setup process went, what I think of the default things, and what I think I need to do security wise to make things stronger. I think this would be good for everyone to do. Vault is a common industry secrets manager. Whether you are using this personally or on your team I think this experience reflection helps you be objective long term.

Will I keep using it?

I think for me personally, Vault is a bit much. I'm not running anything big that would require its use, but I understand it's use for teams/big orgs. I think secret management is so key for every org from a security perspective that you should also give vault a try and then let me know what you think. 😁