Skip to content

How to get Docker Vault going in no time

Quick Steps

  • Pull docker image
  • Start Vault Container
  • Initialize Vault and backup keys
  • Create Client Token
  • Unseal the Vault
  • Use Client Token with one of the APIs

Walkthrough

This walk through is targeted for audiences who are new to Vault, or dev ops who just need an API to develop auto deployment scripts against. A production environment should be installed and operated by a Hashicorp Vault expert.

Pull and Run

Pull the docker image and run it in the foreground with exposed ports 8200 using the following command:

docker pull vault
docker run --cap-add=IPC_LOCK  -p 8200:8200 -e 'VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h", "listener" : {"tcp":{"address":"0.0.0.0:8200", "tls_disable":"1"}}}'  vault server

Initialize

Obtain a shell for the running container by using docker ps to get the docker container ID.

#command to list running containers
docker ps
#Output
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
6fba5d080f96        vault               "docker-entrypoint.s…"   10 seconds ago      Up 9 seconds        0.0.0.0:8200->8200/tcp   xenodochial_jennings

#command to obtain shell
docker exec -it 6fba5d080f96 sh

Because our local environment is simple, without https and certs, we will change the default environment endpoint to support the vault command line tools

export VAULT_ADDR='http://127.0.0.1:8200'
# Command
vault status

# Output
Error checking seal status: Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/seal-status
Code: 400. Errors:

* server is not yet initialized

The command above shows that vault is not yet initialized. The following command will be used to initialize it, which will generate 5 keys, of which 3 is needed for unsealing.

# Command
vault operator init

# Output
Unseal Key 1: q0r01kPVWGFbx5cTCkDoB8S1bE7SminV7yD/tR2wTaig
Unseal Key 2: Q6VZFa23QjC2ZfQD6m11ewpN3TfXGMZXx3y8WQKq9wHC
Unseal Key 3: Sojl+vJDX32hEw8OXAo8Iu7EkLWRzatmbk53jIk+ra0f
Unseal Key 4: ih5gre7jJjqU/8XvKrZ4ou1Km4G2HM3LEOaIjODnSvKc
Unseal Key 5: PPYsA8PaogDKmEtVbmRflXpmh+Ovm45poOEH7vdY6aEL

Initial Root Token: f795b517-960d-3cd8-c585-f1017dac629b

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault rekey" for more information.

Create Client Token

Now that the vault is initialized, we can generate a client token to use with our apps or external systems. However, before we can properly use any vault commands from the server, we’ll need to export the initial root token, that allows interact with the vault services.

# Command to export vault root token
export VAULT_TOKEN='f795b517-960d-3cd8-c585-f1017dac629b'

# Command to create a client token
vault token create
# Output
Key                Value
---                -----
token              90343e4c-58de-1090-5028-36c8ecddc714
token_accessor     9a373392-d436-383d-2397-488717634258
token_duration     ∞
token_renewable    false
token_policies     [root]

Unseal and work with Vault Services from Client

Next we’ll will export the vault address, and client token, so that we can unseal the vault, and work against it.

# Commands to export vault token and address
export VAULT_TOKEN='90343e4c-58de-1090-5028-36c8ecddc714'
export VAULT_ADDR='http://192.168.99.100:8200'

# Commands to unseal vault. This will be executed 3 times while passing a different key
vault unseal
# output
WARNING! The "vault unseal" command is deprecated. Please use "vault operator
unseal" instead. This command will be removed in Vault 0.11 (or later).

Unseal Key (will be hidden):
Key                Value
---                -----
Seal Type          shamir
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    1/3
Unseal Nonce       e459674e-fa1e-74d3-fcb9-e15325f8f338
Version            0.10.1
HA Enabled         true

# Command execution 2nd
vault unseal
# Output
WARNING! The "vault unseal" command is deprecated. Please use "vault operator
unseal" instead. This command will be removed in Vault 0.11 (or later).

Unseal Key (will be hidden):
Key                Value
---                -----
Seal Type          shamir
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    2/3
Unseal Nonce       e459674e-fa1e-74d3-fcb9-e15325f8f338
Version            0.10.1
HA Enabled         true

# Command execution 3rd
vault unseal
# output
WARNING! The "vault unseal" command is deprecated. Please use "vault operator
unseal" instead. This command will be removed in Vault 0.11 (or later).

Unseal Key (will be hidden):
Key             Value
---             -----
Seal Type       shamir
Sealed          false
Total Shares    5
Threshold       3
Version         0.10.1
Cluster Name    vault-cluster-19cc53e6
Unseal Key 1: q0r01kPVWGFbx5cTCkDoB8S1bE7SminV7yD/tR2wTaig
Cluster ID      5719a442-bb46-a446-acda-9d23e487bbf8
HA Enabled      false

Now we can use vault using the quick start tutorials.

Put a password

vault kv put secret/password value=itsasecret

Get a password

# Command
vault kv get secret/password
#Output
==== Data ====
Key      Value
---      -----
value    itsasecret

Using Json

# Command
vault kv get -format json  secret/password

# Output
{
  "request_id": "239272e5-abe8-c2af-93f9-655e718141f6",
  "lease_id": "",
  "lease_duration": 604800,
  "renewable": false,
  "data": {
    "value": "itsasecret"
  },
  "warnings": null
}

# Pipe to JQ and get your value
vault kv get -format json  secret/password |jq -r ".data.value"
#Output
itsasecret

1 reply »

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: