Getting Started with Vault

Reading Time: 3 minutes

Hello Everyone, In today’s blog we will discuss about HashiCorp Vault, a secret management tool which provides a secure and reliable way to store secrets like passwords, access token, secret API key etc.

There are applications that need to interact with third party services and for that it needs various credentials. There are scenarios in which we need different credentials to process different requests. So, where will you store them? Can you really hard-code them and publish them to your sub-versioning tool? Ofcourse not. This is not a recommendable approach.

Managing secrets can become very challenging sometimes. More external services your application interacts with, the more number of secrets that needs to be managed because every service requires API key or some other credentials.

So, what can we do now? Why not Vault it? 😉

Let’s see how to setup Vault

  1. Download Vault from the URL: https://www.vaultproject.io/downloads.html
  2. Extract the downloaded package.
  3. Verify installation using vault command. The output should be something like this:
    Screenshot from 2019-07-15 11-10-59

Starting the Server (Dev server)

  1. Start the server using the command below :

    vault server -dev

    The output should be something like:
    Screenshot from 2019-07-15 11-32-50
  2. Vault dev server runs on http://127.0.0.1:8200 by default. To change this address use the option dev-listen-address.
    e.g.

    vault server -dev -dev-listen-address=127.0.0.2:8202

    Note- The dev server stores all its data in memory.

  3. From a new terminal, export the environment below.

    export VAULT_ADDR=’http://127.0.0.1:8200‘export VAULT_DEV_ROOT_TOKEN_ID=s.Gk9QoTFCG5ogmgoBU3d4s4EM

    VAULT_ADDR is the address on which Vault server is running.
    VAULT_DEV_ROOT_TOKEN_ID is the Root Token provided by Vault server on start.

  4. Verify the server is running using the command below:

    vault status

    The output should be something like:

    Screenshot from 2019-07-15 11-39-47

Writing and Reading secrets through CLI

  • Writing the secret keys – 

vault kv put secret/dev/aws aws_access_token_key=1234 aws_access_token_secret=1234

This will write keys aws_access_token_key and aws_access_token_secret to the path secret/dev/aws.

  • Reading the secret keys – 

vault kv get secret/dev/aws

Screenshot from 2019-07-15 11-51-22

Output:

The path prefix secret is the path at which the default secret engine kv is enabled. We can also create and enable our own path.

Reading secrets through cURL request.

Apart from CLI, Vault also provides access through the HTTP API. To use these HTTP APIs, we can use cURL or any other HTTP client to make API calls.
To read the secrets through cURL, we can use the cURL request:

curl -H “X-Vault-Token: s.Gk9QoTFCG5ogmgoBU3d4s4EM” -X GET http://127.0.0.1:8200/v1/secret/data/dev/aws

As done using cURL, we can make these API calls in our code as well.
For a sample example to use Vault with scala. Please refer the link: https://github.com/jainnancy/sample-vault

Hope you liked the blog. Thanks for Reading.😊

References:
https://learn.hashicorp.com/vault/

Knoldus-blog-footer-image



Written by 

Nancy jain is a software consultant with experience of more than 6 months. She likes to explore new technologies and trends in the IT world. Her hobbies include watching web series, writing and travelling. Nancy is familiar with programming languages such as Java, Scala, C, C++, HTML, Javascript and she is currently working on reactive technologies like Scala, DynamoDb, AkkaHttp.

Knoldus Pune Careers - Hiring Freshers

Get a head start on your career at Knoldus. Join us!