Installing

To install Vault follow the Vault installation instructions. If you have a Mac, you can install Vault using Homebrew. You can validate that you have it installed by running the following command.

1
vault -h

After Vault has been installed, the next step is to start up a Vault server.

vault server -dev

This will give you an output that looks like this:

==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: false, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.4.2
             Version Sha: 18f1c494be8b06788c2fdda1a4296eb3c4b174ce+CHANGES

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://127.0.0.1:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: <a long key>
Root Token: <a token>

Development mode should NOT be used in production installations!

Configuring

Once Vault is installed and running, the next step is to configure it to work with your application. Since we want multiple applications (in production) to be able to use the same Vault infrastructure, we control access with Vault policies and different key/value secret paths. In the following examples, VAULT_SECRET_NAMESPACE will be the secret path where your secrets are stored. This can be any string (except "secrets" since that exists by default) of your choosing, for example local-secrets. VAULT_POLICY_NAME will be the name of the policy that we use to control access to VAULT_SECRET_NAMESPACE. Once again, this should be a string. For example, local-policy.

To set up a policy and secret path run the following commands:

vault secrets enable -path=<VAULT_SECRET_NAMESPACE>/ kv-v2

vault policy write VAULT_POLICY_NAME -<<EOF
# grant permission to new VAULT_SECRET_NAMESPACE path
path "VAULT_SECRET_NAMESPACE/data/*" {
  capabilities = ["create", "update", "read"]
}
EOF

vault token create -policy=VAULT_POLICY_NAME

The final command will give you the following output:

# Key                  Value
# ---                  -----
# token                important-policy-token
# token_accessor       another-less-important-token
# token_duration       768h
# token_renewable      true
# token_policies       ["default" VAULT_POLICY_NAME]
# identity_policies    []
# policies             ["default" VAULT_POLICY_NAME]

The token output from above is what you will use in your application to access Vault. All that is left to do is set the appropriate ENV variables in your .env file.

1
2
export VAULT_TOKEN=important-policy-token export VAULT_SECRET_NAMESPACE=<your
namespace from above>

Restart your application to start using Vault. One easy way to see it in action is via the Rails console.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Enabled Example
[3] pry(main)> AppSecrets["TEST_SET"]="success"
=> "success"
[4] pry(main)> AppSecrets["TEST_SET"]
=> "success"

# Disabled Example
[2] pry(main)> AppSecrets["TEST_SET"]="success"
Vault::MissingTokenError: Missing Vault token! I cannot make requests to Vault without a token. Please
set a Vault token in the client:

    Vault.token = "1234"

or authenticate with Vault using the Vault CLI:

    $ vault auth ...

or set the environment variable $VAULT_TOKEN to the token value:

    $ export VAULT_TOKEN="..."

Please refer to the documentation for more examples.