Quick Steps
[su_list icon=”icon: check”]
- Pull docker image
- Start Vault Container
- Initialize Vault and backup keys
- Create Client Token
- Unseal the Vault
- Use Client Token with one of the APIs
[/su_list]
Walkthrough
This walk through is targeted for audiences who are new to Vault, or dev ops who just need an API to develop auto deployment scripts against. A production environment should be installed and operated by a Hashicorp Vault expert.
Pull and Run
Pull the docker image and run it in the foreground with exposed ports 8200 using the following command:
docker pull vault docker run --cap-add=IPC_LOCK -p 8200:8200 -e 'VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h", "listener" : {"tcp":{"address":"0.0.0.0:8200", "tls_disable":"1"}}}' vault server
Initialize
Obtain a shell for the running container by using docker ps to get the docker container ID.
#command to list running containers docker ps #Output CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6fba5d080f96 vault "docker-entrypoint.s…" 10 seconds ago Up 9 seconds 0.0.0.0:8200->8200/tcp xenodochial_jennings #command to obtain shell docker exec -it 6fba5d080f96 sh
Because our local environment is simple, without https and certs, we will change the default environment endpoint to support the vault command line tools
export VAULT_ADDR='http://127.0.0.1:8200'
# Command vault status # Output Error checking seal status: Error making API request. URL: GET http://127.0.0.1:8200/v1/sys/seal-status Code: 400. Errors: * server is not yet initialized
The command above shows that vault is not yet initialized. The following command will be used to initialize it, which will generate 5 keys, of which 3 is needed for unsealing.
# Command vault operator init # Output Unseal Key 1: q0r01kPVWGFbx5cTCkDoB8S1bE7SminV7yD/tR2wTaig Unseal Key 2: Q6VZFa23QjC2ZfQD6m11ewpN3TfXGMZXx3y8WQKq9wHC Unseal Key 3: Sojl+vJDX32hEw8OXAo8Iu7EkLWRzatmbk53jIk+ra0f Unseal Key 4: ih5gre7jJjqU/8XvKrZ4ou1Km4G2HM3LEOaIjODnSvKc Unseal Key 5: PPYsA8PaogDKmEtVbmRflXpmh+Ovm45poOEH7vdY6aEL Initial Root Token: f795b517-960d-3cd8-c585-f1017dac629b Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests. Vault does not store the generated master key. Without at least 3 key to reconstruct the master key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault rekey" for more information.
Create Client Token
Now that the vault is initialized, we can generate a client token to use with our apps or external systems. However, before we can properly use any vault commands from the server, we’ll need to export the initial root token, that allows interact with the vault services.
# Command to export vault root token export VAULT_TOKEN='f795b517-960d-3cd8-c585-f1017dac629b' # Command to create a client token vault token create # Output Key Value --- ----- token 90343e4c-58de-1090-5028-36c8ecddc714 token_accessor 9a373392-d436-383d-2397-488717634258 token_duration ∞ token_renewable false token_policies [root]
Unseal and work with Vault Services from Client
Next we’ll will export the vault address, and client token, so that we can unseal the vault, and work against it.
# Commands to export vault token and address export VAULT_TOKEN='90343e4c-58de-1090-5028-36c8ecddc714' export VAULT_ADDR='http://192.168.99.100:8200' # Commands to unseal vault. This will be executed 3 times while passing a different key vault unseal # output WARNING! The "vault unseal" command is deprecated. Please use "vault operator unseal" instead. This command will be removed in Vault 0.11 (or later). Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce e459674e-fa1e-74d3-fcb9-e15325f8f338 Version 0.10.1 HA Enabled true # Command execution 2nd vault unseal # Output WARNING! The "vault unseal" command is deprecated. Please use "vault operator unseal" instead. This command will be removed in Vault 0.11 (or later). Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce e459674e-fa1e-74d3-fcb9-e15325f8f338 Version 0.10.1 HA Enabled true # Command execution 3rd vault unseal # output WARNING! The "vault unseal" command is deprecated. Please use "vault operator unseal" instead. This command will be removed in Vault 0.11 (or later). Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Sealed false Total Shares 5 Threshold 3 Version 0.10.1 Cluster Name vault-cluster-19cc53e6 Unseal Key 1: q0r01kPVWGFbx5cTCkDoB8S1bE7SminV7yD/tR2wTaig Cluster ID 5719a442-bb46-a446-acda-9d23e487bbf8 HA Enabled false
Now we can use vault using the quick start tutorials.
Put a password
vault kv put secret/password value=itsasecret
Get a password
# Command vault kv get secret/password #Output ==== Data ==== Key Value --- ----- value itsasecret
Using Json
# Command vault kv get -format json secret/password # Output { "request_id": "239272e5-abe8-c2af-93f9-655e718141f6", "lease_id": "", "lease_duration": 604800, "renewable": false, "data": { "value": "itsasecret" }, "warnings": null } # Pipe to JQ and get your value vault kv get -format json secret/password |jq -r ".data.value" #Output itsasecret
One response to “How to get Docker Vault going in no time”
[…] How to get Docker Vault going in no time […]
LikeLike