Initial commit

README.md

@@ -1,3 +1,66 @@
 # vault-config
 
 Example config for a single-node experimental HashiCorp Vault instance
+
+## Get started
+
+Make sure Vault has access to:
+* `/vault/file`: storage location for the `file` backend
+* `/vault/logs`: storage location for audit logs
+* `/vault/config`: storage location for config file
+
+Run Vault as:
+```
+vault server -config=/vault/config/vault.hcl
+```
+
+Refer to [config/vault.hcl](config/vault.hcl) for content.
+
+## Configure
+
+Once Vault's initialized and with your `root` token in hand log in via the `token` auth method, make the following changes:
+* Add policies from [policies](policies) subdirectory into Vault
+* Create group `administrators`
+* Assign policies `administrator` and `auditor`
+* Create one entity to represent yourself as an administrator
+* Create on alias assigned to that entity for you to use as a username
+* Enable auth menthod `userpass`
+* Create one `userpass` username named like your alias, define your own password
+* Add your own entity to group `administrators`
+
+Log out. Never again use the `root` token unless there's a good reason.
+
+Get the Vault command-line client via [vaultproject.io/downloads](https://www.vaultproject.io/downloads). It'll install the Vault service itself along with the command-line client. Just ignore the service or keep it disabled via `systemctl disable --now vault.service`. You only need the `vault` binary.
+
+* Authenticate against Vault:
+    ```
+    export VAULT_ADDR='https://fully.qualified.domain.name/'
+    vault login
+
+    # Which will prompt for:
+    Token (will be hidden): 
+    ```
+    Enter your personal alias' token, do not ever again use the `root` token.
+
+* Enable audit file device (in non-Vault-speak "the audit log file"):
+    ```
+    # Enable
+    vault audit enable file file_path=/vault/logs/audit.log
+
+    # Expected output:
+    Success! Enabled the file audit device at: file/
+    ```
+    Confirm:
+    ```
+    # Confirm
+    vault audit list
+
+    # Expected output
+    Path     Type    Description
+    ----     ----    -----------
+    file/    file    n/a
+    ```
+
+## Clean-up
+
+If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your `root` token make sure that client's `~/.vault-token` file is deleted. It contains the verbatim `root` token.

config/vault.hcl

@@ -0,0 +1,12 @@
+backend "file" {
+    path        = "/vault/file"
+}
+
+listener "tcp" {
+    address     = "0.0.0.0:8200"
+    tls_disable = 1
+}
+
+api_addr = "https://fully.qualified.domain.name"
+disable_clustering = true
+ui = true

policies/role-administrator/administrator.hcl

@@ -0,0 +1,59 @@
+# Read system health check
+path "sys/health"
+{
+  capabilities = ["read", "sudo"]
+}
+
+# Create and manage ACL policies broadly across Vault
+
+# List existing policies
+path "sys/policies/acl"
+{
+  capabilities = ["list"]
+}
+
+# Create and manage ACL policies
+path "sys/policies/acl/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Enable and manage authentication methods broadly across Vault
+
+# Manage auth methods broadly across Vault
+path "auth/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create, update, and delete auth methods
+path "sys/auth/*"
+{
+  capabilities = ["create", "update", "delete", "sudo"]
+}
+
+# List auth methods
+path "sys/auth"
+{
+  capabilities = ["read"]
+}
+
+# Enable and manage the key/value secrets engine at `secret/` path
+
+# List, create, update, and delete key/value secrets
+path "secret/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage secrets engines
+path "sys/mounts/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List existing secrets engines.
+path "sys/mounts"
+{
+  capabilities = ["read"]
+}

policies/role-administrator/auditor.hcl

@@ -0,0 +1,11 @@
+# Allow enabling of audit logging to file
+path "sys/audit/file"
+{
+  capabilities = ["update", "sudo"]
+}
+
+# Allow listing of audit devices
+path "sys/audit"
+{
+  capabilities = ["read", "sudo"]
+}