# vault-config

Example config for a single-node experimental HashiCorp Vault instance

## Get started

Make sure Vault has access to:
* `/vault/file`: storage location for the `file` backend
* `/vault/logs`: storage location for audit logs
* `/vault/config`: storage location for config file

Run Vault as:
```
vault server -config=/vault/config/vault.hcl
```

Refer to [config/vault.hcl](config/vault.hcl) for content.

## Configure

Once Vault's initialized and with your `root` token in hand log in via the `token` auth method, make the following changes:
* Add policies from [policies](policies) subdirectory into Vault
* Create group `administrators`
* Assign policies `administrator` and `auditor` to that group
* Create one entity to represent yourself as an administrator
* Create one alias assigned to that entity for you to use as a username
* Enable auth method `userpass`
* Create one `userpass` username named like your alias, define your own password
* Add your own entity to group `administrators`

Log out. Never again use the `root` token unless there's a good reason.

Get the Vault command-line client via [vaultproject.io/downloads](https://www.vaultproject.io/downloads). It'll install the Vault service itself along with the command-line client. Just ignore the service or keep it disabled via `systemctl disable --now vault.service`. You only need the `vault` binary.

* Authenticate against Vault:
    ```
    export VAULT_ADDR='https://fully.qualified.domain.name/'
    vault login

    # Which will prompt for:
    Token (will be hidden): 
    ```
    Enter your personal alias' token, do not ever again use the `root` token.

* Enable audit file device (in non-Vault-speak "the audit log file"):
    ```
    # Enable
    vault audit enable file file_path=/vault/logs/audit.log

    # Expected output:
    Success! Enabled the file audit device at: file/
    ```
    Confirm:
    ```
    # Confirm
    vault audit list

    # Expected output
    Path     Type    Description
    ----     ----    -----------
    file/    file    n/a
    ```

## Clean-up

If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your `root` token make sure that client's `~/.vault-token` file is deleted. It contains the verbatim `root` token.