Hashicorp Vault¶
Setting up Hashicorp Vault¶
Installation¶
Install Vault via package manager after adding the repository.
Source: HCP Vault install guide.
Installation for Debian-based systems:
wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs 2>/dev/null) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update
sudo apt install -y vault
Installation for RedHat-based systems (RHEL, Rocky, Alma):
# dnf
sudo dnf install -y dnf-plugins-core
sudo dnf config-manager addrepo --from-repofile=https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo dnf install -y vault
# yum
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo yum -y install vault
KC Lab (notes)¶
Start the Hashicorp Vault server in dev mode:
Ouput:
You may need to set the following environment variables:
$ export VAULT_ADDR='http://127.0.0.1:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: REDACTED
Root Token: hvs.REDACTED
Export the vault address and token as environment variables.
Verify secrets engine Version 2 is running:
Add a secret to Hashicorp Vault:
Output:
===== Secret Path =====
secret/data/app1/values
======= Metadata =======
Key Value
--- -----
created_time 2025-05-17T00:37:40.89642633Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
- Note this
Secret Path.
Verify the values were set:
Allowing vault to use usernames and passwords:
Creating a user for Hashicorp vault
Create a policy to allow reads of secret/app1/values secret (uses hcl)
cat > /root/ansible-policy.hcl <<-EOF
# Write and manage secrets in key-value secrets engine
path "secret*" {
capabilities = [ "create", "read", "update", "delete", "list", "patch" ]
}
EOF
Write the vault policy into vault
Map the policy to the user ansible
Verify the mapping of the policy.
Using Ansible to Access Vault Secrets¶
---
- name: Read variables
hosts: localhost
vars:
gather_facts: True
become: False
tasks:
# Hit the vault API
- name: test my connection to vault for credentials
uri:
url: "http://127.0.0.1:8200/v1/auth/userpass/login/{{username}}"
return_content: yes
method: POST
body_format: json
body: { password : "{{ password }}" }
register: user_connect
# Check the values
- name: Debug user_connect
debug:
var: user_connect
Run with extra vars:
Adding the Extra Vars to Ansible Vault¶
Create a vault file:
- Create a password for your vault.
The vault.yaml file is just a vars file.
We can add this vars file:
- name: Read variables
hosts: localhost
vars:
vars_file: /root/vault.yaml
#....The rest of the playbook
Then we need to unlock this file when calling this playbook:
Displaying the Hashicorp Vault Secrets¶
If we want, we can add a couple of tasks to debug the variables containing the
secrets that we retrieved from Hashicorp Vault.
- name: Show the individual username
debug:
var: secret_creds.json.data.data.username
- name: Show the individual password
debug:
var: secret_creds.json.data.data.password
Set ansible user for both prod and dev servers.
- Prod servers will have one ansible user, dev servers will have another.
- These 2 user accounts will have different credentials.