Vault is a secrets manager, basically it store and protects several types of secrets such as password, certificates, token, keys, etc. Usually I’ve seen Vault getting installed in Kubernetes or some sort of container platform, in this case the AMI is prefered for people who may not have that infrastructure in place. The operating system used for this is Ubuntu 18.04 as is a LTS release and the documentation is pretty good, also as is an LTS release it has support from canonical until 2023.
So in this post a basic AMI for vault is created, the image will be set up with Packer. But the first things needed to do is to create the files to run Vault as a service in the instance.
vault.service
[Unit]
Description=vault service
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault/config.json
[Service]
EnvironmentFile=-/etc/sysconfig/vault
Environment=GOMAXPROCS=2
Restart=on-failure
ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.json
StandardOutput=/logs/vault/output.log
StandardError=/logs/vault/error.log
LimitMEMLOCK=infinity
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM
[Install]
WantedBy=multi-user.target
The file above is to configure systemd service to manage Vault. The next file is the configuration of Vault, in this file are going to reside simple configuration such as the backend (I prefer to use s3 for this) the listeners and other optional configurations as this is for a lower environment only the basic configuration is needed.
config.json
{
"backend": {
"s3": {
"region": "us-east-2",
"bucket": "vault-backend"
}
},
"listener": [{
"tcp": {
"address" : "0.0.0.0:8200",
"tls_disable" : 1
}
}],
"api_addr": "http:localhost:8200",
"ui":true
}
In this configuration the S3 bucket resides in the region us-east-2 and is called vault-backend per my configuration.
To install Vault into the image, a basic script is needed. The latest release for Vault is used, this script is going to be used as of the rest of the files in the packer template.
vault.sh
"sleep 30",
"sudo apt-get update",
"sudo apt-get install unzip -y",
"curl -L https://releases.hashicorp.com/vault/1.5.4/vault_1.5.4_linux_amd64.zip -o vault.zip",
"unzip vault.zip",
"sudo chown root:root vault",
"sudo mv vault /usr/local/bin/",
"rm -f vault.zip"
packer_vault.json
{
"variables" : {
"aws_access_key": "",
"aws_secret_key": ""
},
"builders" : [
{
"type" : "amazon-ebs",
"region": "us-east-1",
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
"source_ami_filter": {
"filters" : {
"virtualization-type":"hvm",
"root-device-type" : "ebs",
"name":"ubuntu/images/*ubuntu-bionic-18.04-amd64-server-*"
},
"owners": ["099720109477"],
},
"instance_type": "t2.medium",
"ami_name": "vault",
"ssh_username": "ubuntu"
}],
"provisioners" : [
{
"type" : "shell",
"script": "vault.sh"
},
{
"type": "file",
"source": "config.json",
"destination": "~/config.json"
},
{
"type": "shell",
"inline": [
"sudo mkdir -p /etc/vault",
"sudo mv ~/config.json /etc/vault/config.json"
]
},
{
"type": "file",
"source": "vault.service",
"destination": "~/vault.service"
},
{
"type":"shell",
"inline": [
"sudo mv ~/vault.service /etc/systemd/system/vault.service",
"sudo systemctl enable vault.service"
]
}]
}
At the end, execute packer build packer_vault.json the variables for the AWS account must be set before.
With this files you now have a simple way to execute Vault for lower environments or for environments dedicated to CI/CD, many of the instructions and files here, can be found in learn.hashicorp.com which I recommend to visit for more detailed and advanced implementation of vault.