Difficulty: Intermediate
Estimated Time: 15-20 minutes

In this scenario, we'll explore how to store secrets in Hashicorp Vault. The scenario explains how to initialise a vault, store key/values in a secure way that can later be accessed via the CLI or the HTTP API. The HTTP API is an excellent way to obtain secrets when running inside a Docker Container.

What is Hashicorp Vault

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. More details can be found at https://github.com/hashicorp/vault/

Important

This scenario is designed for educational purposes and not production. For production usage, you should always use TLS which has been disabled in this example.

In this scenario we explored how to launch a Hashicorp Vault Server and use it to read/write secure information such as our API keys.

Learn how to access these Vault secrets from within a Docker container using our (LibSecret Docker Volume Driver)[https://www.katacoda.com/courses/docker-production/docker-volume-libsecret] scenario.

Don’t stop now! The next scenario will only take about 10 minutes to complete.

Store Secrets using Hashicorp Vault

Step 1 of 8

Step 1 - Configuration

The first step is to configure a Data Container to store the configuration for Vault.

View the confirmation with cat vault.hcl

The config defines three important properties. Firstly, it sets Vault to use Consul to store the secrets. Using Consul enables high availability mode as Consul manages to information and distribution to ensure HA. Secondly, it binds Vault to listen on all IP addresses, this is for use with the HTTP API. Finally, for development purposes, we disable TLS.

Create Data Container

To store the configuration we'll create a container. This will be used by Vault and Consul to read the required configuration files.

docker create -v /config --name config busybox; docker cp vault.hcl config:/config/;

You can learn more about data containers with our scenario https://www.katacoda.com/courses/docker/data-containers