HashiCorp released Vault version 0.10.x on April 2018. The 0.10.x release delivers many new features and changes (eq. K/V Secrets Engine v2, Vault Web UI, etc.). Please have a look on vault/CHANGELOG for more informations. This tiny tutorial will concentrate now on usage of Vault’s Key-Value Secrets Engine via CLI.
Preparation
# download version 0.10.3 $ curl -C - -k https://releases.hashicorp.com/vault/0.10.3/vault_0.10.3_darwin_amd64.zip -o ~/Downloads/vault.zip # unzip and delete archive $ unzip ~/Downloads/vault.zip -d ~/Downloads/ && rm ~/Downloads/vault.zip # change access permissions and move binary to target $ chmod u+x ~/Downloads/vault && sudo mv ~/Downloads/vault /usr/local/
Start Vault server in development mode
# start in simple development mode $ vault server -dev
Do not stop the process and open new tab on terminal [COMMAND] + [t].
# set environment variable $ export VAULT_ADDR='http://127.0.0.1:8200' # check vault status $ vault status
Create, Read, Update and Delete secrets
# create secret (version: 1) $ vault kv put secret/demosecret name=demo value=secret # list secrets (optional) $ vault kv list secret # read secret $ vault kv get secret/demosecret # read secret (JSON) $ vault kv get --format json secret/demosecret # update secret (version: 2) $ vault kv put secret/demosecret name=Demo value=secret foo=bar # read secret (latest version) $ vault kv get secret/demosecret # read secret (specific version) $ vault kv get --version 1 secret/demosecret # read secret (specific field) $ vault kv get --field=name secret/demosecret # delete secret (latest version) $ vault kv delete secret/demosecret # show metadata $ vault kv metadata get secret/demosecret
As you can see, there are minor changes to previous versions of Vault.
Note: The API for the Vault KV secrets engine even changed.
# read (version 1) $ curl -H "X-Vault-Token: ..." https://127.0.0.1:8200/v1/secret/demosecret # read (version 2) $ curl -H "X-Vault-Token: ..." https://127.0.0.1:8200/v1/secret/data/demosecret
Okay, back to CLI and some examples which are better for automation. We will use the STDIN and a simple JSON file.
# create secret (version: 1)
$ echo -n "my secret" | vault kv put secret/demosecret2 name=-
# list secrets (optional)
$ vault kv list secret
# update secret (version: 2)
$ echo -n '{"name": "other secret"}' | vault kv put secret/demosecret2 -
# create JSON file
$ echo -n '{"name": "last secret"}' > ~/Desktop/demo.json
# update secret (version: 3)
$ vault kv put secret/demosecret2 @$HOME/Desktop/demo.json
# read secrets (different versions)
$ vault kv get --version 1 secret/demosecret2
$ vault kv get --version 2 secret/demosecret2
$ vault kv get --version 3 secret/demosecret2
# delete version permanent
$ vault kv destroy --versions 3 secret/demosecret2
# show metadata
$ vault kv metadata get secret/demosecret2Web UI
Previously the Web UI was for Enterprise only, now it has been made open source.
# open URL in browser $ open http://localhost:8200/
Now you can use the root token to sign in.