vault-config
Example config for a single-node experimental HashiCorp Vault instance
Get started
Make sure Vault has access to:
/vault/file: storage location for thefilebackend/vault/logs: storage location for audit logs/vault/config: storage location for config file
Run Vault as:
vault server -config=/vault/config/vault.hcl
Refer to config/vault.hcl for content.
Configure
Once Vault's initialized and with your root token in hand log in via the token auth method, make the following changes:
- Add policies from policies subdirectory into Vault
- Create group
administrators - Assign policies
administratorandauditorto that group - Create one entity to represent yourself as an administrator
- Create on alias assigned to that entity for you to use as a username
- Enable auth menthod
userpass - Create one
userpassusername named like your alias, define your own password - Add your own entity to group
administrators
Log out. Never again use the root token unless there's a good reason.
Get the Vault command-line client via vaultproject.io/downloads. It'll install the Vault service itself along with the command-line client. Just ignore the service or keep it disabled via systemctl disable --now vault.service. You only need the vault binary.
-
Authenticate against Vault:
export VAULT_ADDR='https://fully.qualified.domain.name/' vault login # Which will prompt for: Token (will be hidden):Enter your personal alias' token, do not ever again use the
roottoken. -
Enable audit file device (in non-Vault-speak "the audit log file"):
# Enable vault audit enable file file_path=/vault/logs/audit.log # Expected output: Success! Enabled the file audit device at: file/Confirm:
# Confirm vault audit list # Expected output Path Type Description ---- ---- ----------- file/ file n/a
Clean-up
If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your root token make sure that client's ~/.vault-token file is deleted. It contains the verbatim root token.