Tuesday, 29 September 2020

HashiCorp Vault: Run in dev mode

You can start vault in dev mode by executing below command.

vault server -dev

 

You can use dev server to experiment with Vault.

 

Is every feature of Vault is available in dev mode?

Yes

 

Dev server is unsealed

When you start dev server it automatically initialized and unsealed. It is ready for use, you no need to unseal explicitly.

 

Dev server store the data in-memory

It store the data in-memory.

 

Find below steps to perform CRUD operations against vault dev server.

 

Step 1:Start vault dev server by executing below command.

vault server -dev

$vault server -dev
==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: false, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.4.2
             Version Sha: 18f1c494be8b06788c2fdda1a4296eb3c4b174ce+CHANGES

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://127.0.0.1:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: 7Ikm5CEkuxiUAITXgWJb81Hfo7wdymr3gM1igvOEiLo=
Root Token: s.l5QIWgO9MhRc8dqQpuqFEQ5V

Development mode should NOT be used in production installations!

==> Vault server started! Log data will stream in below:

2020-06-01T19:27:15.762+0530 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2020-06-01T19:27:15.765+0530 [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2020-06-01T19:27:15.768+0530 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2020-06-01T19:27:15.768+0530 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2020-06-01T19:27:15.768+0530 [INFO]  core: security barrier not initialized
2020-06-01T19:27:15.768+0530 [INFO]  core: security barrier initialized: stored=1 shares=1 threshold=1
2020-06-01T19:27:15.769+0530 [INFO]  core: post-unseal setup starting
2020-06-01T19:27:15.780+0530 [INFO]  core: loaded wrapping token key
2020-06-01T19:27:15.780+0530 [INFO]  core: successfully setup plugin catalog: plugin-directory=
2020-06-01T19:27:15.780+0530 [INFO]  core: no mounts; adding default mount table
2020-06-01T19:27:15.781+0530 [INFO]  core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2020-06-01T19:27:15.781+0530 [INFO]  core: successfully mounted backend: type=system path=sys/
2020-06-01T19:27:15.781+0530 [INFO]  core: successfully mounted backend: type=identity path=identity/
2020-06-01T19:27:15.787+0530 [INFO]  core: successfully enabled credential backend: type=token path=token/
2020-06-01T19:27:15.787+0530 [INFO]  core: restoring leases
2020-06-01T19:27:15.787+0530 [INFO]  rollback: starting rollback manager
2020-06-01T19:27:15.788+0530 [INFO]  expiration: lease restore complete
2020-06-01T19:27:15.788+0530 [INFO]  identity: entities restored
2020-06-01T19:27:15.788+0530 [INFO]  identity: groups restored
2020-06-01T19:27:15.788+0530 [INFO]  core: post-unseal setup complete
2020-06-01T19:27:15.790+0530 [INFO]  core: root token generated
2020-06-01T19:27:15.790+0530 [INFO]  core: pre-seal teardown starting
2020-06-01T19:27:15.790+0530 [INFO]  rollback: stopping rollback manager
2020-06-01T19:27:15.790+0530 [INFO]  core: pre-seal teardown complete
2020-06-01T19:27:15.790+0530 [ERROR] core: no seal config found, can't determine if legacy or new-style shamir
2020-06-01T19:27:15.790+0530 [INFO]  core.cluster-listener.tcp: starting listener: listener_address=127.0.0.1:8201
2020-06-01T19:27:15.790+0530 [INFO]  core.cluster-listener: serving cluster requests: cluster_listen_address=127.0.0.1:8201
2020-06-01T19:27:15.790+0530 [INFO]  core: post-unseal setup starting
2020-06-01T19:27:15.791+0530 [INFO]  core: loaded wrapping token key
2020-06-01T19:27:15.791+0530 [INFO]  core: successfully setup plugin catalog: plugin-directory=
2020-06-01T19:27:15.792+0530 [INFO]  core: successfully mounted backend: type=system path=sys/
2020-06-01T19:27:15.792+0530 [INFO]  core: successfully mounted backend: type=identity path=identity/
2020-06-01T19:27:15.792+0530 [INFO]  core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2020-06-01T19:27:15.792+0530 [INFO]  core: successfully enabled credential backend: type=token path=token/
2020-06-01T19:27:15.792+0530 [INFO]  core: restoring leases
2020-06-01T19:27:15.792+0530 [INFO]  rollback: starting rollback manager
2020-06-01T19:27:15.793+0530 [INFO]  expiration: lease restore complete
2020-06-01T19:27:15.793+0530 [INFO]  identity: entities restored
2020-06-01T19:27:15.793+0530 [INFO]  identity: groups restored
2020-06-01T19:27:15.793+0530 [INFO]  core: post-unseal setup complete
2020-06-01T19:27:15.793+0530 [INFO]  core: vault is unsealed
2020-06-01T19:27:15.798+0530 [INFO]  core: successful mount: namespace= path=secret/ type=kv
2020-06-01T19:27:15.799+0530 [INFO]  secrets.kv.kv_acf5e2da: collecting keys to upgrade
2020-06-01T19:27:15.799+0530 [INFO]  secrets.kv.kv_acf5e2da: done collecting keys: num_keys=1
2020-06-01T19:27:15.799+0530 [INFO]  secrets.kv.kv_acf5e2da: upgrading keys finished

Step 2: Points to be noted in step 1 output.

 

Dev server is started at port 8200

http://127.0.0.1:8200

 

Vault run in-memory.

Vault is already unsealed with a single unseal key ‘7Ikm5CEkuxiUAITXgWJb81Hfo7wdymr3gM1igvOEiLo=’.

Root token ‘s.l5QIWgO9MhRc8dqQpuqFEQ5V’

 

To communicate with dev server, we need to set following environment variable in the terminal.

 

export VAULT_ADDR='http://127.0.0.1:8200'

 

Development mode should not be used in production installations.

 

Step 3: Open other terminal and set VAULT_ADDR by executing below command.

 

export VAULT_ADDR='http://127.0.0.1:8200'

 

 

Step 4: Enable kv secret engine at path secret/kv.

$vault secrets enable -path=my-secrets/ kv
Success! Enabled the kv secrets engine at: my-secrets/

Step 5: Write some key-values at path my-secrets/my-app

 

vault kv put my-secrets/my-app username=krishna123 password=password123

$vault kv put my-secrets/my-app username=krishna123 password=password123
Success! Data written to: my-secrets/my-app

Step 6: Get the secrets.

vault kv get my-secrets/my-app

 

$vault kv get my-secrets/my-app
====== Data ======
Key         Value
---         -----
password    password123
username    krishna123

Step 7: Delete the secrets.

vault kv delete my-secrets/my-app

$vault kv delete my-secrets/my-app
Success! Data deleted (if it existed) at: my-secrets/my-app
$
$vault kv get my-secrets/my-app
No value found at my-secrets/my-app




Previous                                                    Next                                                    Home

No comments:

Post a Comment