How to get started with Hashicorp Vault for Secrets Management in your DevOps Pipeline - Part 3

Wrapping Up Our Solution

In our first two blogs we laid the foundation for our HashiCorp Vault® solution. In Part 1 of 3 we covered an overview of the solution. In Part 2 of 3 we began our installation of Vault. In this final blog of our series, we will complete the configuration of the Vault environment (Major Step #3). Then we will retrieve a secret from the Vault. As a bonus, we will create a second secret and retrieve it from the Vault.

Major Step #3: Setting Up the Vault

Configure the Environment Variables for Vault

Run the commands in Figure 1 to set the environment variables used by the Vault binary when executing commands.

Be sure to substitute in the IP address of your Vault server in place of {{YOUR VAULTIP}}. Note: VAULT_SKIP_VERIFY=1 is used to ignore SSL errors.

export VAULT_ADDR=https://{{YOUR VAULTIP}}:8200
export PATH=$PATH:/usr/local/bin/vault.d

Figure 1 - Set Environment Variables

Initialize the Vault

Run the command in Figure 2 to initialize the Vault. This creates an empty vault, the root token to the vault, and five (5) “unseal” keys. These keys are critical for setting up the vault further and for starting the vault.

You will see output like that in Figure 3.

Critical Note: The unseal keys and initial root token are only shown when you first initialize the vault. Below you will see important steps to back these up. Don’t lose them! Without these keys you will NOT be able to start the vault backup and use your existing encrypted secrets.

vault operator init

Figure 2 - Initialize Vault

Figure 3 - Vault Initialization Output

Backup the Unseal Keys and the Initial Root Token

The unseal keys are used to “unseal” the vault. When unsealing, you must provide 3 of the 5 keys which will allow Vault to access the stored secrets. This process must be repeated whenever the Vault service is stopped for any reason.

Copy the unseal keys to the clipboard and back up the keys to a secure location. They should only be stored in a location that can be access by people you want to be able to start the vault up.

Copy the initial root token to the clipboard and back up the token to a secure location.

Important Note: The initial root token allows you to perform actions on the Vault as the root Vault account, which has full privileges to the vault. Protect this token!

Unseal the Vault

Copy any of the three keys that were backed up from the “Initialize the Vault” step above.

Run the “unseal” commands in Figure 4 to unseal the vault.

Important Note: Be sure to substitute your own keys for {{{key 1/2/3}}}!

vault operator unseal {{{key 1}}}
vault operator unseal {{{key 2}}}
vault operator unseal {{{key 3}}}

Figure 4 - Three Unseal Keys

Run “vault status” as in Figure 5. You should see the “sealed” property set to “false” as in Figure 6.

vault status

Figure 5 - Vault Status

Figure 6 - Vault Status Output

Access the Vault as root

The environment variables we’ve been setting are for the Vault binary to use in the command line.

Run the command in Figure 7 to set the VAULT_TOKEN variable to the root token.

The root token allows you to act as root on the vault. You need root access on the vault so that you can complete the following steps to configure the secrets engine. Make sure to replace {{{your root token}}} with the initial root token you captured in the “Initialize the Vault” step above.

export VAULT_TOKEN={