Difficulty: beginner
Estimated Time: 10 minutes


HashiCorp Vault can generate secrets on-demand for some systems. For example, when an app needs to access an Amazon S3 bucket, it asks Vault for AWS credentials. Vault will generate an AWS credential granting permissions to access the S3 bucket. In addition, Vault will automatically revoke this credential after the TTL is expired.

The Getting Started guide walks you through the generation of dynamic AWS credentials.

Reference Material

Don’t stop now! The next scenario will only take about 10 minutes to complete.


Step 1 of 2

Getting Started

This tutorial uses Vault docker container which is running Vault in development mode.

Login to Vault

When Vault is running in development mode, it runs entirely in-memory and starts unsealed with a single unseal key. The root token is already authenticated to the CLI, so you can immediately begin using Vault.

First, get the generated root token.

Enter the following command into the terminal, or click on the command to automatically copy it into the terminal and execute it.

docker logs vault > system.out
grep 'Root Token:' system.out | awk '{print $NF}' > root_token.txt

Login with root token:

vault login $(cat root_token.txt)

Now, you are logged in as a root and ready to play!

vault server -dev -dev-root-token-id="root"
export VAULT_ADDR=''