Categories
DevOps

How to install Vault agent

Install and configure HashiCorp Vault agent.

Install Consul application

Create consul cluster, configure encryption and access control lists.

Create and configure vault application.

Create a secret

Login into the vault.

$ vault login
Token (will be hidden): 
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.BKpRwvIYboA6C9QrY5V7OnxA
token_accessor       Ie2zOw7FxgyNhx4KJopUpDTo
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

Enable key-value storage.

$ vault secrets enable -version=2 kv
Success! Enabled the kv secrets engine at: kv/

Create sample secret.

$ vault kv put kv/agent/secret username=joe password=secret
==== Secret Path ====
kv/data/agent/secret

======= Metadata =======
Key                Value
---                -----
created_time       2022-07-20T22:34:15.209828875Z
custom_metadata    
deletion_time      n/a
destroyed          false
version            1

Create access policy

Create sample policy.

$ cat << EOF | tee  agent.policy
path "kv/data/agent/*" {capabilities = ["read"]}
EOF
path "kv/data/agent/*" {capabilities = ["read"]}

Format a policy file.

$ vault policy fmt agent.policy 
Success! Formatted policy: agent.policy

Display properly formatted file.

$ cat agent.policy 
path "kv/data/agent/*" {
  capabilities = ["read"]
}

Upload policy.

$ vault policy write agent agent.policy 
Success! Uploaded policy: agent

Configure AppRole auth method

Enable approle auth.

$ vault auth enable approle
Success! Enabled approle auth method at: approle/

Define role using role created earlier.

$ vault write auth/approle/role/agent  policies="agent"
Success! Data written to: auth/approle/role/agent

Get role id.

$ vault read auth/approle/role/agent/role-id
Key        Value
---        -----
role_id    0201b61d-c602-bdf9-94e5-6ce7ecd736a7

Display role definition.

$ vault read auth/approle/role/agent
Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
policies                   [agent]
secret_id_bound_cidrs      
secret_id_num_uses         0
secret_id_ttl              0s
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [agent]
token_ttl                  0s
token_type                 default

Create empty secret.

$ vault write -force auth/approle/role/agent/secret-id
Key                   Value
---                   -----
secret_id             af93c5e5-c143-6196-de96-36f9516da065
secret_id_accessor    f0c2baf7-75b1-6796-5660-127c62c7eced
secret_id_ttl         0s

Configure login endpoint using role id and secret id.

$ vault write auth/approle/login \
    role_id=0201b61d-c602-bdf9-94e5-6ce7ecd736a7 \
    secret_id=af93c5e5-c143-6196-de96-36f9516da065
Key                     Value
---                     -----
token                   hvs.CAESIE7sv6PZJJCIoFnb7a47Ahe7KMH32pnJKJev1DypQyb5Gh4KHGh2cy5FaHU5dTBPcG9YTGdndnRQeUxQOWF0Nmo
token_accessor          QYmDVCWZInYBU39CdYrV0wdr
token_duration          768h
token_renewable         true
token_policies          ["agent" "default"]
identity_policies       []
policies                ["agent" "default"]
token_meta_role_name    agent

Test AppRole auth

$ curl -XPOST -d '{"role_id":"0201b61d-c602-bdf9-94e5-6ce7ecd736a7 ","secret_id":"af93c5e5-c143-6196-de96-36f9516da065"}' https://172.16.148.3:8200/v1/auth/approle/login
{"request_id":"375cf92d-07de-8e09-aca9-8d3f46f6e585","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":null,"auth":{"client_token":"hvs.CAESINx5-iP0A7_W4BPoZQL1PzrFxD889kg8_sSunukCF3epGh4KHGh2cy5VTWZUVnF4MGowb0c2c2JqT2JXczh2N3Y","accessor":"1b2ibQVKMTAv073VfLAqoxKK","policies":["agent","default"],"token_policies":["agent","default"],"metadata":{"role_name":"agent"},"lease_duration":2764800,"renewable":true,"entity_id":"420d17e2-f0d6-96a0-a0c2-ec7e693e3fe2","token_type":"service","orphan":true,"mfa_requirement":null,"num_uses":0}}

Install Vault application

curl and unzip should be already installed during Consul agent install process.

Visit downloads page and download linux binary.

$ curl --silent \
       --remote-name \
       --output-dir /tmp \
       https://releases.hashicorp.com/vault/1.11.0/vault_1.11.0_linux_amd64.zip

Move archive to persistent location.

$ sudo mv /tmp/vault_1.11.0_linux_amd64.zip /opt/

Inspect downloaded archive.

$ unzip -l /opt/vault_1.11.0_linux_amd64.zip 
Archive:  /opt/vault_1.11.0_linux_amd64.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
199518230  2022-06-17 23:04   vault
---------                     -------
199518230                     1 file

Extract vault binary.

$ sudo unzip -d /usr/bin /opt/vault_1.11.0_linux_amd64.zip vault
Archive:  /opt/vault_1.11.0_linux_amd64.zip
  inflating: /usr/bin/vault 

Inspect binary file permissions.

$ ls -l /usr/bin/vault 
-rwxr-xr-x 1 root root 199518230 Jun 17 23:04 /usr/bin/vault

Create vault group.

$ sudo groupadd --gid 864 vault

Create vault user.

$ sudo useradd --uid 864 --gid 864 \
               --shell /bin/false \
               --home-dir /etc/vault.d --no-create-home \
               vault

Create configuration directory.

$ sudo -u vault install --directory --group vault --owner vault --mode 700 /etc/vault.d

Create app data directory.

$ sudo -u vault install --directory --group vault --owner vault --mode 700 /opt/vault

Create empty environment file.

$ sudo -u vault touch /etc/vault.d/vault.env

Create empty configuration.

$ sudo -u vault touch /etc/vault.d/vault.hcl

Prevent memory from being swapped to disk.

$ sudo setcap cap_ipc_lock=+ep /usr/bin/vault

Create systemd service - it is the official packaged one.

$ sudo tee /usr/lib/systemd/system/vault-agent.service << 'EOF'
[Unit]
Description="HashiCorp Vault Agent - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3

[Service]
Type=exec
EnvironmentFile=/etc/vault.d/vault.env
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/bin/vault agent -non-interactive -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
LimitNOFILE=65536
LimitMEMLOCK=infinity

[Install]
WantedBy=multi-user.target
EOF
[Unit]
Description="HashiCorp Vault Agent - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3

[Service]
Type=exec
EnvironmentFile=/etc/vault.d/vault.env
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/bin/vault agent -non-interactive -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
LimitNOFILE=65536
LimitMEMLOCK=infinity

[Install]
WantedBy=multi-user.target

Reload systemd configuration.

$ sudo systemctl --system daemon-reload

Inspect service status.

$ systemctl status vault-agent
○ vault-agent.service - "HashiCorp Vault Agent - A tool for managing secrets"
     Loaded: loaded (/lib/systemd/system/vault-agent.service; disabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: https://www.vaultproject.io/docs/

Configure vault agent

Store role id and secret id.

$ echo 0201b61d-c602-bdf9-94e5-6ce7ecd736a7 | sudo -u vault tee /etc/vault.d/role-id
$ sudo chmod 600 /etc/vault.d/role-id
$ echo af93c5e5-c143-6196-de96-36f9516da065 | sudo -u vault tee /etc/vault.d/secret-id
$ sudo chmod 600 /etc/vault.d/secret-id

Create secret template.

$ sudo tee /etc/vault.d/secret.ctmpl << EOF
{{ with secret "kv/agent/secret" -}}
username = "{{ .Data.data.username }}"
password = "{{ .Data.data.password }}"
{{- end }}
EOF
{{ with secret "kv/agent/secret" -}}
username = "{{ .Data.data.username }}"
password = "{{ .Data.data.password }}"
{{- end }}

Create agent configuration. Update systemd service to use directory instead of a single file.

$ sudo -u vault tee /etc/vault.d/vault.hcl << EOF
vault {
  address = "https://172.16.148.3:8200"
}

auto_auth {
  method "approle" {
    config = {
      role_id_file_path = "/etc/vault.d/role-id"
      secret_id_file_path = "/etc/vault.d/secret-id"  
      remove_secret_id_file_after_reading = false
    }
  }
}

pid_file = "/opt/vault/vault.pid"

template {
  source = "/etc/vault.d/secret.ctmpl"
  destination = "/opt/vault/secret"
}
EOF

Enable server service.

$ sudo systemctl enable --now vault-agent
Created symlink /etc/systemd/system/multi-user.target.wants/vault-agent.service → /lib/systemd/system/vault-agent.service.

Inspect service status.

$ systemctl status vault
 vault-agent.service - "HashiCorp Vault Agent - A tool for managing secrets"
     Loaded: loaded (/lib/systemd/system/vault-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2022-07-23 20:26:35 UTC; 9min ago
       Docs: https://www.vaultproject.io/docs/
   Main PID: 8759 (vault)
      Tasks: 8 (limit: 2241)
     Memory: 18.5M
        CPU: 325ms
     CGroup: /system.slice/vault-agent.service
             └─8759 /usr/bin/vault agent -non-interactive -config=/etc/vault.d/vault.hcl

Jul 23 20:26:35 vault-agent vault[8759]: 2022-07-23T20:26:35.106Z [INFO]  cache: received request: method=GET path=/v1/sys/internal/ui/mounts/kv/agent/secret
Jul 23 20:26:35 vault-agent vault[8759]: 2022-07-23T20:26:35.107Z [INFO]  cache.apiproxy: forwarding request: method=GET path=/v1/sys/internal/ui/mounts/kv/agent/secret
Jul 23 20:26:35 vault-agent vault[8759]: 2022-07-23T20:26:35.110Z [INFO]  auth.handler: renewed auth token
Jul 23 20:26:35 vault-agent vault[8759]: 2022-07-23T20:26:35.110Z [INFO]  cache: received request: method=GET path=/v1/kv/data/agent/secret
Jul 23 20:26:35 vault-agent vault[8759]: 2022-07-23T20:26:35.110Z [INFO]  cache.apiproxy: forwarding request: method=GET path=/v1/kv/data/agent/secret
Jul 23 20:30:53 vault-agent vault[8759]: 2022-07-23T20:30:53.970Z [INFO]  cache: received request: method=GET path=/v1/kv/data/agent/secret
Jul 23 20:30:53 vault-agent vault[8759]: 2022-07-23T20:30:53.971Z [INFO]  cache.apiproxy: forwarding request: method=GET path=/v1/kv/data/agent/secret
Jul 23 20:35:20 vault-agent vault[8759]: 2022-07-23T20:35:20.635Z [INFO]  cache: received request: method=GET path=/v1/kv/data/agent/secret
Jul 23 20:35:20 vault-agent vault[8759]: 2022-07-23T20:35:20.635Z [INFO]  cache.apiproxy: forwarding request: method=GET path=/v1/kv/data/agent/secret
Jul 23 20:35:20 vault-agent vault[8759]: 2022-07-23T20:35:20.658Z [INFO] (runner) rendered "/etc/vault.d/secret.ctmpl" => "/opt/vault/secret
$ sudo -u vault  cat /opt/vault/secret 
username = "joe"
password = "secret"

Secret will be updated every five minutes.

One-time action

You can execute vault agent once, get secrets, parse templates, create the target files, remove auth data and quit.

$ sudo -u vault tee /etc/vault.d/vault.hcl << EOF
vault {
  address = "https://172.16.148.3:8200"
}

exit_after_auth = true

auto_auth {
  method "approle" {
    config = {
      role_id_file_path = "/etc/vault.d/role-id"
      secret_id_file_path = "/etc/vault.d/secret-id"  
      remove_secret_id_file_after_reading = true
    }
  }
}

template {
  source = "/etc/vault.d/secret.ctmpl"
  destination = "/opt/vault/secret"
}
EOF

Inspect service status after it used this configuration.

$ sudo systemctl status vault-agent
○ vault-agent.service - "HashiCorp Vault Agent - A tool for managing secrets"
     Loaded: loaded (/lib/systemd/system/vault-agent.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Sat 2022-07-23 21:03:38 UTC; 3s ago
       Docs: https://www.vaultproject.io/docs/
    Process: 9430 ExecStart=/usr/bin/vault agent -non-interactive -config=/etc/vault.d/vault.hcl (code=exited, status=0/SUCCESS)
   Main PID: 9430 (code=exited, status=0/SUCCESS)
        CPU: 97ms

Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.695Z [WARN] (clients) disabling nomad SSL verification
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.695Z [INFO] (runner) creating watcher
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.696Z [INFO] (runner) starting
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.704Z [INFO]  auth.handler: renewed auth token
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.802Z [INFO] (runner) stopping
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.802Z [INFO]  template.server: template server stopped
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.802Z [INFO] (runner) received finish
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.802Z [INFO]  auth.handler: shutdown triggered, stopping lifetime watcher
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.802Z [INFO]  auth.handler: auth handler stopped
Jul 23 21:03:38 vault-agent systemd[1]: vault-agent.service: Deactivated successfully.

Inspect service logs.

$ sudo journalctl -u vault-agent
Jul 23 21:03:38 vault-agent systemd[1]: Starting "HashiCorp Vault Agent - A tool for managing secrets"...
Jul 23 21:03:38 vault-agent systemd[1]: Started "HashiCorp Vault Agent - A tool for managing secrets".
Jul 23 21:03:38 vault-agent vault[9430]: ==> Vault agent started! Log data will stream in below:
Jul 23 21:03:38 vault-agent vault[9430]: ==> Vault agent configuration:
Jul 23 21:03:38 vault-agent vault[9430]:                      Cgo: disabled
Jul 23 21:03:38 vault-agent vault[9430]:                Log Level: info
Jul 23 21:03:38 vault-agent vault[9430]:                  Version: Vault v1.11.0, built 2022-06-17T15:48:44Z
Jul 23 21:03:38 vault-agent vault[9430]:              Version Sha: ea296ccf58507b25051bc0597379c467046eb2f1
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.660Z [INFO]  auth.handler: starting auth handler
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.661Z [INFO]  auth.handler: authenticating
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.661Z [ERROR] auth.approle: error removing secret ID file after reading: error="remove /etc/vault.d/secret-id: read-only fi>
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.661Z [INFO]  template.server: starting template server
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.661Z [INFO] (runner) creating new runner (dry: false, once: false)
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.661Z [INFO]  sink.server: starting sink server
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.662Z [WARN] (clients) disabling vault SSL verification
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.662Z [WARN] (clients) disabling nomad SSL verification
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.662Z [INFO] (runner) creating watcher
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.695Z [INFO]  auth.handler: authentication successful, sending token to sinks
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.695Z [INFO]  auth.handler: starting renewal process
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.695Z [INFO]  sink.server: sink server stopped
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.695Z [INFO]  sinks finished, exiting
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.695Z [INFO]  template.server: template server received new token
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.695Z [INFO] (runner) stopping
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.695Z [INFO] (runner) creating new runner (dry: false, once: false)
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.695Z [INFO] (runner) creating watcher
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.696Z [INFO] (runner) starting
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.704Z [INFO]  auth.handler: renewed auth token
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.802Z [INFO] (runner) stopping
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.802Z [INFO]  template.server: template server stopped
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.802Z [INFO] (runner) received finish
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.802Z [INFO]  auth.handler: shutdown triggered, stopping lifetime watcher
Jul 23 21:03:38 vault-agent vault[9430]: 2022-07-23T21:03:38.802Z [INFO]  auth.handler: auth handler stopped
Jul 23 21:03:38 vault-agent systemd[1]: vault-agent.service: Deactivated successfully.

Awesome!