Vagrant and Vault

I was a little surprised why there is no Vagrant plug-in for Vault. Then I thought no matter, because the Vagrantfile is actually a Ruby script. Let me try it. I have to say right away that I’m not a Ruby developer! But here is my solution which has brought me to the goal.

Prerequisite

  • latest Vault installed (0.11.0)
  • latest Vagrant installed (2.1.3)

Prepare project and start Vault

Here my simple vagrant policy (don’t do that in production).

And here is my crazy and fancy Vagrantfile

Configure Vault

Run it

ūüėČ … it just works

Unseal Vault with PGP

In this tutorial I will show an example for unsealing Vault using GPG. We generate for two users the keys and each user will use them to unseal. For the storage we use Consul.

Conditions

Host Preparation

First we need to setup, configure and start Consul and Vault.

Note: Because of the security settings of my provider, spaces are after ‚Äúetc‚ÄĚ. Please delete it after copy/paste.

Do not stop and/or close any terminal sessions!

Your project folder now should look like this:

Client Preparation

As I wrote –¬†we need to simulate two users. Now to the Docker client’s…

Both client’s need similar¬†configuration, so¬†please execute the following steps on both containers.

Your project folder now should look like this:

Initialize and Unseal Vault

On the host we initialize the Vault and share unseal key’s back to the client’s.

Note: Save now all keys and share the correspondending <unseal keys> to the client’s!

Now our client’s can start the unseal of Vault. Even here,¬†please execute the following steps on both containers.

Just for information

We configured both services (Consul and Vault) with WebUI.

Use the “Initial Root Token” to login into Vault’s WebUI.