Sunday 18 October 2020

Vault Configuration file

Vault servers are configured using a configuration file. Usually these configuration files are written in JSON or HCL (HashiCorp Configuration Language) format.

 

vault.hcl

storage "inmem" {
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}

disable_mlock = true
 

Congifuration file include different stanzas (backend, listener) and parameters (disable_mock) to define configuration options.

 

Typical configuration file looks like below. 

stanza "option" {
  param1 = value1
  .....
  paramN = valueN
}

stanza "option" {
  param1 = value1
  .....
  paramN = valueN
}

.....
.....
stanza "option" {
  param1 = value1
  .....
  paramN = valueN
}

param1=value1
param2=value2

 

How to start a server using configuration file?

Command to run

vault server -config {congifuration_file}

 

What are different stanzas that I can specify in configuration file?

a. listener stanza: This stanza configures the addresses and ports on which Vault will respond to requests.

 

Example

listener "tcp" {

  address = "127.0.0.1:8200"

}

 

b. seal stanza: The seal stanza configures the seal type to use for additional data protection.

 

Example

seal "alicloudkms" {

  region     = "us-east-1"

  access_key = "0wNEpMMlzy7szvai"

  secret_key = "PupkTg8jdmau1cXxYacgE736PJj4cA"

  kms_key_id = "08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4fb73"

}

 

c. storage stanza: Configures storage backend.

 

Example

storage "file" {

  path = "/mnt/vault/data"

}

 

d. service_registration stanza: configures Vault's mechanism for service registration.

 

Example

service_registration "consul" {

  address = "127.0.0.1:8500"

}

 

e. telemetry stanza: stanza specifies various configurations for Vault to publish metrics to upstream systems.

 

Example

telemetry {

  statsite_address = "statsite.company.local:8125"

}

 

You can enable Vault UI by setting below property in configuration file.

ui = true

By default ui is disabled.

 

You can even specify cluster ip and port details in Vault configuration file.

cluster_name = "my_cluster"

cluster_addr ="statsite.company.local:8125"

 

You can specify log level.

log_level = "Trace"

 

log_level can set to Trace, Debug, Error, Warn and Info.

 

You can specify api address

api_address= https://127.0.0.1:8555

 

 

Previous                                                    Next                                                    Home

No comments:

Post a Comment