Relay70

HashiCorp Vault With Admin Account

by

Dan Waddell
in 
Step by step instructions for setting up HashiCorp Vault along with an initial admin user who can see the entire Vault UI. 
Reference: 
https://github.com/relay70/vaultInstall for an Ansible script that executes the steps listed below.

Installation

Commands
dnf install -y dnf-plugins-core
dnf config-manager --add-repo https://rpm.releases.hashicorp.com/fedora/hashicorp.repo
dnf -y install vault
Explanation 
1 - Install dnf-plugsin-core.  This makes config-manager available for the next step.
2 - Install the HashiCorp repo.
3 - Installs HashiCorp Vault

Enable/Start Vault

Commands
systemctl enable vault
systemctl start vault
Explanation 
1 - Enables vault to start on boot
2 - Starts vault

Initialize Vault 

***Be sure to copy the Unseal Keys and Root Token produced by these commands.  Keep them store somewhere safe and accessible***
Commands
export VAULT_ADDR='https://127.0.0.1:8200'
export VAULT_SKIP_VERIFY=true
vault operator init
export VAULT_TOKEN=<ROOT TOKEN>
Explanation 
1 - Sets environment variable with the local url to vault
2 - Mostly likely you won't have a valid ssl cert.  This makes the vault client ignore ssl errors.
3 - Initializes the Vault database
4 - Set the Root Token as an environment variable.  This will allow for authentication during the next commands.
    Copy the Unseal keys, as well as the Root Token.  Put them somewhere safe.

Unseal Database

Commands
vault operator unseal
vault operator unseal
vault operator unseal
Explanation 
To completely unseal the database requires the use of 3 out of the 5 Unseal Keys.  This unseal command needs to be executed three times.
1 - Execute the unseal command and enter one of the Unseal Keys.
2 - Execute the unseal command again and enter the different Unseal Key.
3 - Execute the unseal command a third time and enter a different Unseal Key.
After the third run of this command the output will show "Sealed false" indicating is is properly unsealed.

Create Admin Policy and Admin User

Commands
wget https://raw.githubusercontent.com/relay70/vaultInstall/refs/heads/main/configFiles/adminPolicy.hcl
vault policy write admin /tmp/adminPolicy.hcl
vault auth enable userpass
vault write auth/userpass/users/admin password=ADMINPASSWORD policies=admin
Explanation 
1 - Download the adminPolicy.hcl from relay70 github.
    See: https://developer.hashicorp.com/vault/docs/concepts/policies for more info on policies and HCL
2 - Creates admin policy using the adminPolicy.hcl file.
3 - Enables the userpass authentication type.
    There are many other types of authentication types that Vault can use.  We've already seen the token type when we set the VAULT_TOKEN environment variable.  Once logged in to the UI go to "Access" and click "Enable New Method" to see the list of access types.
4 - Create user "admin" and assign it to the admin policy

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *