Creating Secrets in Hashicorp Vault: Two Simple Methods
Written on
Chapter 1: Introduction to Creating Secrets
Establishing secrets in Hashicorp Vault is a crucial task following its installation. This process allows you to securely store sensitive information needed by various components within your environment. In this article, we will delve into the methods of creating secrets in Hashicorp Vault, focusing on practical implementation.
In previous discussions, we highlighted the significance of Hashicorp Vault and its installation procedure. If you wish to revisit those insights, they can be found in our earlier articles. At this point, we will assume that your Vault is fully initialized and unsealed, ready to handle requests.
Section 1.1: Utilizing the Hashicorp Vault CLI
To interact with the Vault, we will primarily use the Hashicorp Vault Command Line Interface (CLI). All commands will begin with the prefix vault, which you may recognize from prior articles where we initialized and unsealed the Vault.
The first step is to log into the Vault using the root token provided during initialization. To streamline this process, we'll store the token in an environment variable. All subsequent commands will be executed within the Vault agent server pod, as illustrated in the image below:
Once inside the pod, we can log in with the command:
vault login
The output will resemble the following:
If the token is not supplied beforehand, the console will prompt for it, and the input will be hidden, as depicted in the image below:
After successfully logging in, we can begin entering commands to create secrets in Hashicorp Vault.
Section 1.2: Creating Secrets
To initiate the creation of secrets, we first need to set up a secret path. This path acts as a root directory for all related secrets. Depending on the applications involved, each application can have its own designated path, although the organization may vary based on context. Further elaboration on this topic will be provided in upcoming articles.
To enable a secret path for the creation process, the following command is issued:
vault secrets enable -path=internal kv-v2
This command activates a secret store of type kv-v2 (key-value version 2), establishing "internal" as the root path for subsequent creations.
Next, we will create a secret in Hashicorp Vault. Since we are utilizing a key-value store, the syntax reflects this structure:
vault kv put internal/database/config username="db-readonly-username" password="db-secret-password"
This command establishes a child path /database/config under the "internal" path, storing two keys: username with the value db-readonly-username and password with the value db-secret-password.
As demonstrated, generating new secrets linked to a specific path is quite straightforward. To retrieve the content, one can use the get command:
vault kv get internal/database/config
The output will be similar to the example below:
This functionality allows you to interact with your stored content, enabling you to add, update, or retrieve information as needed. With everything set, we can proceed to configure the client side to integrate this data into its lifecycle workflow.
Chapter 2: Leveraging the REST API for Secrets Management
Although the Hashicorp Vault CLI provides a user-friendly way to interact with the vault server, all CLI commands translate into REST API requests made to the server. This allows for direct communication with the server via REST calls. For comprehensive details on the REST API, refer to the official documentation.
The first video titled "How To Setup Hashicorp Vault: Creating And Accessing Secrets" provides a detailed walkthrough on setting up and managing secrets within Hashicorp Vault.
The second video, "Managing Secrets in Code with Hashicorp Vault," explores how to effectively handle secrets in your application code using Hashicorp Vault.