# Hashicorp Vault ## What is Vault? * Vault is a solution developed by Hashicorp that enables the storage and lifecycle of secrets (i.e., user/pass, API keys, certificates, encryption keys, etc.) ## Installation ```bash brew install vault ``` ## Vault Cheat Sheet ### Vault Configuration Commands ```bash # View vault configuration (stored on whichever server Vault is installed on). This file path can be different! cat /etc/vault.d/vault.hcl # Validate/troubleshoot configuration file. Point it to your configuration file path vault operator diagnose -config=/etc/vault.d/vault.hcl # Initialize Vault for the first time (modify as needed) vault operator init \ -key-shares=3 \ -key-threshold=2 ``` ### Vault Operations ```bash # Get help vault --help # (-h) vault --help # (-h) # Get vault version vault version # View vault status (seal/unseal status) vault status # Unseal vault (other options e.g., AWS KMS exist too) vault operator unseal # hit enter Unseal Key (will be hidden): # paste key shard value # Login to Vault vault login hvs.7j0Pi7dUJNE5GV3Z77HyCCBS # Restart Vault sudo systemctl restart vault ``` ### Vault Dev Mode ```bash # Start Vault in Dev mode (testing only, not for production) vault server -dev # interact with vault in another terminal tab / window # hit CMD+C to end the vault session # Or start vault in the background and interact in the same terminal tab vault server -dev & # kill vault by finding the pid ps -ef | grep 'vault server -dev' kill -9 ``` ### Vault Secrets ```bash # Create a secrets engine at the path of "home/" vault secrets enable -path=home/ kv # kv-v2 # Save a secret to the file "vault-token" at the initial path "home/". Syntax is Key=Value vault kv put home/tyler/vault-token "Initial Root Token:"=hvs.35fzQIN0BstyJxCj46W0ajiy # Retrieve a secret vault kv get home/tyler/vault-token ``` ### Vault Auth Methods ```bash # Enable the aws auth method vault auth enable aws # Provide a custom path and description for the aws auth method vault auth enable -path=tylers-aws-path -description=aws-creds aws # vault auth list (to see these details) # Disable auth method vault auth disable aws # List auth methods vault auth list # Modify the token/ auth method's TTL so that the token expires after 1 hour vault auth tune -max-lease-ttl=3600 token/ #Success! Tuned the auth method at: token/ ``` ### Vault Policies ```bash # List policies vault policy list # Read a policy vault policy read # Write (upload) a policy vault policy write # Test a policy by generating a token to login with it vault token create -policy= ``` ### Vault Tokens ```bash # List all tokens in vault vault list auth/token/accessors # Create a new root token vault token create # View properties of a token vault token lookup -accessor # run: vault list auth/token/accessors to get # Revoke a token vault token revoke # found in .vault-token vault token revoke -accessor # run: vault list auth/token/accessors to get ``` ## Useful Resources {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.techwithtyler.dev/devsecops/hashicorp-vault.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.