Hashicrop Vault

Pre Requisite

Create a Compute Engine in GCP.
Make sure to take OS of Ubuntu with version 20.4
Assign a service account and add a pub key for the terminal access.

Vault instllation reference URL

https://developer.hashicorp.com/vault/downloads

Post Installation steps

Execute command vault -h to test the installation status.
Start the server with command vault server -dev.
Once vault server start, you will get Unsealed Key and Root token like below.

Unseal Key: VNLLZBbz8XXXXXXXXXXXXXXXXXXXXXXXXXXX
Root Token: hvs.xxxxxxxxxxxxxxxxxxxxxxxxxxx

Export Environment Variables

Execute below commnds.

export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_TOKEN="hvs.BsbRBk6DSmJwBgBSjvd4ShK4"

Test the server status using vault status command.

Setup GCP Secret Engine

Enable the google cloud secret engine using below command.

vault secrets enable gcp

Run vault secrets list to check if gcp seceret vault has created. O/P looks like below.

$ vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_d25198a5    per-token private secret storage
gcp/          gcp          gcp_219aa2d8          n/a
identity/     identity     identity_d99aadfe     identity store
secret/       kv           kv_d893e4fa           key/value secret storage
sys/          system       system_96ba5c20       system endpoints used for control, policy and debugging

Create a Service Account with required permission. Here I have taken mandetory roles to a create token.

ServiceAccountAdmin
ServiceAccountKeyAdmin
ServiceAccountTokenCreator
Security Admin
Security Reviewer

Create a Service Account key and download the json file and enable below APIs in Google Cloud API services.

iam.googleapis.com
cloudresourcemanager.googleapis.com

Go to the vault server and copy the SA key to ur working directory.
Now configure the secrets engine with account credential using command below.

vault write gcp/config [email protected]

Configure a roleset that generate a OAuth2 Access token.

vault write gcp/roleset/my-token-roleset \
project="crucial-media-360523" \
secret_type="access_token"  \
token_scopes="https://www.googleapis.com/auth/cloud-platform" \
bindings=-<<EOF
resource "//cloudresourcemanager.googleapis.com/projects/crucial-media-360523" {
roles = ["roles/compute.instanceAdmin.v1","roles/iam.serviceAccountUser"]
}
EOF

Execute command below command to read the newly create role set.

vault read gcp/roleset/my-token-roleset

Reference URL - https://developer.hashicorp.com/vault/docs/secrets/gcp

Deploy a Packer image using the role set.

Create a packer file packer-auth.json in Vault server.

{
    "builders": [
        {
            "type": "googlecompute",
            "vault_gcp_oauth_engine": "gcp/token/my-token-roleset",
            "project_id": "crucial-media-360523",
            "source_image": "debian-10-buster-v20200413",
            "network": "default",
            "ssh_username": "packer",
            "zone": "us-central1-a"
        }
    ],
    "provisioners": [
        {
            "type": "shell",
            "inline": ["touch /tmp/gk.log"]
        }
    ]
}

Execute below command to deploy the packer image.

packer build packer-auth.json

rakeshdyx / hashicropvault Goto Github PK

hashicropvault's Introduction

Hashicrop Vault

Pre Requisite

Vault instllation reference URL

Post Installation steps

Export Environment Variables

Setup GCP Secret Engine

Deploy a Packer image using the role set.

hashicropvault's People

Contributors

Watchers

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent