Hello Everyone, In today’s blog we will discuss about HashiCorp Vault, a secret management tool which provides a secure and reliable way to store secrets like passwords, access token, secret API key etc.
There are applications that need to interact with third party services and for that it needs various credentials. There are scenarios in which we need different credentials to process different requests. So, where will you store them? Can you really hard-code them and publish them to your sub-versioning tool? Ofcourse not. This is not a recommendable approach.
Managing secrets can become very challenging sometimes. More external services your application interacts with, the more number of secrets that needs to be managed because every service requires API key or some other credentials.
So, what can we do now? Why not Vault it? 😉
Let’s see how to setup Vault
- Download Vault from the URL: https://www.vaultproject.io/downloads.html
- Extract the downloaded package.
- Verify installation using vault command. The output should be something like this:
Starting the Server (Dev server)
- Start the server using the command below :
The output should be something like:vault server -dev
- Vault dev server runs on http://127.0.0.1:8200 by default. To change this address use the option dev-listen-address.
e.g.vault server -dev -dev-listen-address=127.0.0.2:8202
Note- The dev server stores all its data in memory.
- From a new terminal, export the environment below.
export VAULT_ADDR=’http://127.0.0.1:8200‘export VAULT_DEV_ROOT_TOKEN_ID=s.Gk9QoTFCG5ogmgoBU3d4s4EM
VAULT_ADDR is the address on which Vault server is running.
VAULT_DEV_ROOT_TOKEN_ID is the Root Token provided by Vault server on start. - Verify the server is running using the command below:
vault status
The output should be something like:
Writing and Reading secrets through CLI
- Writing the secret keys –
vault kv put secret/dev/aws aws_access_token_key=1234 aws_access_token_secret=1234
This will write keys aws_access_token_key and aws_access_token_secret to the path secret/dev/aws.
- Reading the secret keys –
vault kv get secret/dev/aws
Output:
The path prefix secret is the path at which the default secret engine kv is enabled. We can also create and enable our own path.
Reading secrets through cURL request.
Apart from CLI, Vault also provides access through the HTTP API. To use these HTTP APIs, we can use cURL or any other HTTP client to make API calls.
To read the secrets through cURL, we can use the cURL request:
curl -H “X-Vault-Token: s.Gk9QoTFCG5ogmgoBU3d4s4EM” -X GET http://127.0.0.1:8200/v1/secret/data/dev/aws
As done using cURL, we can make these API calls in our code as well.
For a sample example to use Vault with scala. Please refer the link: https://github.com/jainnancy/sample-vault
Hope you liked the blog. Thanks for Reading.😊
References:
https://learn.hashicorp.com/vault/
