How To Setup Hashicorp Vault: Creating And Accessing Secrets

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and thanks for joining me i'm john with bit size tech today we're going to go over how to create secrets the cli specifically key value pairs as well as creating the secrets through the ui um so we're gonna go over just key value pair for now later on we're gonna show you how to create other types of secrets um but this one we wanna focus on just the key value up here also we're gonna show you how to access those secrets secrets remotely we're going to use the http api for this there is also the method of the cli we will show the setup process in a different tutorial but those are the topics that we're going to cover today so go ahead and join me in the rest of the video all right thanks for joining me in the rest of the video so we're going to start out we're going to go ahead and log back into the vault server i've already sshed into my machine so we're starting from there if you either rebooted or you sealed your vault you're going to have to go through the unseal process we're just going to walk through it again so we're going to start by unsealing so we're going to do all operator unseal and again you'll have to put in three tokens the fun process of unsealing all right i'll just do this two more times and remember it can be any three tokens uh in any order and once more there we go now vault is unsealed we're going to log in so to do that it's just vault login and we'll use our token great we're now authenticated so i'm going to clear so the first thing we want to do is enable our key value pair as a secret so to do that we do vault secrets and then it's enable kv ah so i've already enabled it did this to check out before i did the tutorial video so we're going to do a disable so you can see what that looks like okay that path is now disabled so we'll try that again this is what it'll look like it is now enabled great so what we want to do is we want to put in our first secret so to do that you want to say vault and then kv is the type of secret that you want to pin and use the put command and then we're going to specify the path so i'm going to put it in the path kv secret so the reason it's that is this was the path we enabled this is the path where we want to set that secret so now we have to tell it what secret we want to set so a practical use case would be is if you want to store username and passwords api keys anything of that nature so i could say like username equals vault demo right and then i could also specify password equals this is a password and what we're doing is we're allowing those to be stored secretly or safely rather in order to ensure security so this is the same principle you have every day if you use a password manager like lastpass one password dashlane etc so we're doing the same thing but for infrastructure so we want servers and machines to communicate with each other but we want to do that securely and store it so that way that outside you know fact [Music] we're doing this in order to make sure that nobody outside of our organization can access it so that's what we're doing this uh the reason why we're doing this so for this demo i'm going to say foo equals bar right pretty simple now say we want to add another secret hello equals world great let's do volt kv list and what this is saying is we're going to list all secrets within kv so we see secret great so i would say volt get kv slash secret slash nope oh i forgot to put kv in front of that oh we see we only have hello world that's because we overwrote that specific path now if you wanted to add a second secret say if you're writing to that path if i want to say foo equals bar that's what i do and then if i do get we have both secrets so that's something to know that you can designate multiple secrets to one pass so this is where it would be useful to have username password say ip address etc you can store that all within one path so you can organize your secrets in any which way that you see fit so it's just a nested method so that's that's how it works essentially so say we want to return it in json uh we would say vault kv get dash format equals json kv slash secret and then i want that to use jq like we did previously just to see that output so you can see it's a little bit more readable this is our request id this is how long we have access to it is it renewable etc but this is specifically what we're looking for so we get both of those in a json output as opposed to just a text standard out um so now we want to delete that secret so in this case we would say vault kv delete kv slash secret so we're deleting that whole path great now it's not going to give you an error if that path doesn't exist so you need to make sure that you have the correct path when you do it it's just going to say hey it's deleted if it's there so you need to make sure that actually exists so let's try doing a get again no secrets found great we know it was deleted so uh before we move into the ui i'm going to do what i did originally when we had the issue and do volt disable kv kv up secrets misspelled that there we go so that helps just make sure you use secrets not secret does not work if you do that so we're going to clear and now we're going to log into our vault server through the ui so in my case i've got this behind a domain name so i would just open a browser paste it in so this is my domain i'm using we're going to port 8200 and then you just need to slash ui it's going to take you directly to a sign in page so this is where i will enter my token again and it's still unsealed so this is something to know if it's unsealed it will still remain unsealed we can see that up here in the status that it says unsealed all right we're going to log in great so this is where we drop initially is in our secrets you can see that i have a couple of secrets already enabled we're going to go ahead and disable those but this is where you'll see that if you want to enable a new engine you can go here etc you'll see access policies we kind of briefly looked over that uh in the last video um but here's your menu so what we're going to do this time is we're going to enable the engine we're going to go to kv and hit next you're gonna get a couple of choices um now this is where you can choose uh the the version as well as you can change your path so previously we're using kv you can set a custom path and still make it a key value pair so what i'm going to do is you know let's start out with a version two we're going to say bst slash v2 so we know it's a version two i'm gonna say enable engine great that path is now enabled so uh i'm gonna now create a secret to create a secret um i need to create a path which i'm gonna use secret again nothing fancy and then for my key what is it this is a v2 secret great we're going to add oh sorry we don't need to add but that's how you do it click save now we see we have one key value pair in here now we're going to go through v1 now in a second because this will become apparent while we're doing this when we go to the api topic there is a slight difference when you deal with it in the api as far as the ui is concerned not much of a difference but as far as the api is concerned there is a difference between the two so if i go to secrets enable engine kv next version one version one great uh actually i'm gonna rename that to make it easier on us we're going to keep kv that's fine we're going to do the same naming convention we did in the first one it does not like to swap to v1 vst bst v1 great no secrets we're going to now create another secret [Music] we'll just do the same thing secret wow what is it we'll say this is a v1 secret great click save we can see this is if you want secret awesome so if we go back the only difference you'll notice is this right here is the designation any new secret created will default to a v2 that's whether you're in the ui or through the cli it goes to v2 so we've created a secret through the ui say we want to access these remotely this is where we're going to go through the api so let me create a new terminal and then let me increase the window size for you guys maybe not that big how about there great so in order to access these secrets we're going to use curl this is how it works for volt so we're going to say curl and you're going to set a header for the volt token and it's dash h to designate that in curl and that's x dash vault dash token and then it's colon space and this is where i'm going to set that token this is my admin token i'm going to close that header out then we're going to say dash x and say get now in order to get that secret we're going to put in https because that's what we set our vault up to do bolt dot bit sized dot tech and we'll say 8200 and every single vault is going to use this sort of path or it's your vault domain it could also be an ip address your port and then v1 is the start of every call regardless of whether it's a v1 or v2 secret that's just the api version so it's a little confusing but we're going to start by grabbing that v1 so bstv1 that was our path and we'll say secret and then we're going to pipe that to jq again just to make a little bit easier to read there is no oh i did that wrong there's a slash in there hey that worked this time uh so we can see we got back data what is it this is a v1 secret right now let's try it for the v2 secret huh invalid path that's because there's an additional path you have to add in to grab that it's slash data so this exists uh after your normal path before your actual secret path you have to put in that slash data this will also become more relevant later when we go over policies you'll need to know that when you're setting custom policies to access v2 secrets it's about that nested property that you'll need to know this so we'll do it again hey this is a v2 secret as you can see it's in that data path with another data path in v1 this exists as we saw up here uh right here yep it's just implicit in that request down here there's a secondary data path i don't know why this is i couldn't answer that's something hashicorp would have to give you the answer on but it's just something you need to know if you're using the api or going through policies there's a second layer there great now let's say we want to create or actually let's do this you can also not use the x fault token uh as your header most apis will use an authorization header so what you would say is authorization sorry just checking my spelling i'm terrible at it sometimes token uh and then or no bearer so we'd say bearer and then we'd have the token that also works yeah that also worked so instead of saying that this one here which is a custom vault token we would actually use a standard sort of method a lot of them use authorization headers for apis and it will either be bearer or token something along those lines api key this is a standard practice in most this is just vault saying you can also use their specific one if you didn't want to state a authorization header so now that we've tried that out let's try and create a secret through the api so to do that we're going to create a json file so sudo nano and we'll say payload helps if i spell that correct jason great uh and then i've got a example one that i've included so we'll copy this over so json format right we're saying data and then these are our keys that we're putting in there so we're gonna quit that save it and then now we're going to actually write that so it's going to be very similar to our other one we'll just use this as a template uh so instead of x get we'll do x post so this is actually i you can also use put i'm using post but put and post very similar um so we're going to do it to let's do it to the v1 delete that out and then we're going to state dash data and we're going to say at payload dot json great it gives you that now let's try getting that just delete that out of there and we'll change back from post to get great as you can see we wrote over our previous data it is now bim bam foo bar and zip zap so that's how you create it that's how you get it that's how you you add information you can use the post if that doesn't exist as long as that path you can write to it with your token you can also do that as well now let's say we just want to straight delete it instead of a get we will say delete so let's just delete the whole thing so we don't need that v1 we don't need a secret there's no handler oh i do need the v1 great try getting again oh it'll give you an error that doesn't exist great so uh we can also go through the ui check yep that secret's gone so this is just a an intro into creating secrets uh writing secrets getting secrets you know updating them through the api doing a little bit of that introduction so that's all we're going to cover in this section we will do some other sections specifically about enabling off methods enabling you know access policies creating uh you know ways to assume role in aws there's a lot of things that vault can do so we're going to kind of go over those piece by piece uh right now we were just working with key value pairs right like we're also going to look at pki certificates ssh totp this is specifically used for ssh it's really cool you can also just set up temporary passwords for other things right vault can generate those secrets for you you can also access cloud things so we're going to go through all that thanks again for joining me i'll see you in the next video have a good one have fun with all you

Info

Channel: bitsized tech

Views: 1,767

Rating: 5 out of 5

Keywords: hashicorp, vault, hashicorp vault, linux, secrets, secret management, accessing secrets, api, vault api, tech, tutorial, devops, sre, backend, computers, cli, vault cli, hashicorp vault cli, consul, development stack, hcl, terraform, nomad, secret manager, technology, saas, security, IT, cloud, packer, Vault, HashiCorp Vault, HashiCorp, secrets management, Dynamic Secrets, Data Encryption, IT security

Id: LEpk376fc-U

Channel Id: undefined

Length: 20min 44sec (1244 seconds)

Published: Wed Mar 03 2021