Secretes management using open source tool Hashicorp Vault

Step 1: Install and Set Up HashiCorp Vault

1. Download Vault:

   • Use the official HashiCorp website or package manager.

    bashCopy codecurl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
    sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
    sudo apt-get update && sudo apt-get install vault

2. Start Vault:

   • Start Vault in development mode (not recommended for production).

    bashCopy codevault server -dev

Step 2: Initialize and Unseal Vault

1. Initialize Vault:

    bashCopy codevault operator init
   

   • This generates unseal keys and a root token.

   • Save these securely as they are needed to operate the Vault.

2. Unseal Vault:

   • Use unseal keys (provided during initialization) to unseal Vault:

    bashCopy codevault operator unseal <unseal_key>

Step 3: Authenticate with Vault

1. Login using the Root Token:

   • Use the root token generated during initialization.

    bashCopy codevault login <root_token>

Step 4: Enable a Secrets Engine

• Vault uses secrets engines to manage secrets. Enable the KV (Key-Value) secrets engine for storing secrets.

bashCopy codevault secrets enable -path=kv kv

Step 5: Store a Secret

1. Store a Secret:

    bashCopy codevault kv put kv/my-app username=admin password=securepassword123
   

2. Verify Stored Secrets:

    bashCopy codevault kv get kv/my-app
   

Step 6: Retrieve a Secret

• Applications can use the CLI or APIs to retrieve secrets.

bashCopy codevault kv get -field=password kv/my-app

Step 7: Configure Policies for Access Control

1. Define a Policy:

   • Create a policy to restrict access to certain secrets.

    hclCopy codepath "kv/my-app" {
        capabilities = ["read", "list"]
    }

• Save it as policy.hcl.

2. Apply the Policy:

    bashCopy codevault policy write my-app-policy policy.hcl
   

Step 8: Integrate Vault with Applications

• Use Vault's APIs or libraries to fetch secrets dynamically at runtime without hardcoding them.

• Example API Call:

    bashCopy codecurl --header "X-Vault-Token: <token>" \
         --request GET \
         http://127.0.0.1:8200/v1/kv/my-app
  

Step 9: Enable Secret Rotation

1. Set Up Dynamic Secrets:

   • Use Vault to generate dynamic credentials for databases.

    bashCopy codevault secrets enable database

2. Configure Database Secrets:

    bashCopy codevault write database/config/my-database \
        plugin_name=mysql-database-plugin \
        connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \
        allowed_roles="my-role" \
        username="root" \
        password="rootpassword"
   

3. Create a Role for Dynamic Secrets:

    bashCopy codevault write database/roles/my-role \
        db_name=my-database \
        creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';" \
        default_ttl="1h" \
        max_ttl="24h"
   

Step 10: Audit and Monitor Secrets

• Enable auditing to log all access to secrets:

bashCopy codevault audit enable file file_path=/var/log/vault_audit.log