You will most likely know that Hashicorp Cloud Platform can allow the creation of a cloud-based Consul deployment on the AWS and Azure clouds. This enables the quick and significantly easier deployment of that product into service, removing a steep learning curve to value. On the 14th of January Hashicorp doubled the number of products available to two with the announcement that Vault, their Secret, identity, key and token management product is now available on HCP as a public beta.
HashiCorp Vault has only been available as a single binary download for installing as a part of a private installation, either locally in a traditional on-premises deployment or in the public cloud either on traditional virtual machines or containers. Like the majority of Hashicorp products, it has a rather steep learning curve to deploy in a resilient manner. To be fair, they significantly reduced the complexity of the product with the introduction of the Raft Consensus Algorithm to manage back end secret storage across nodes with version 1.4. Prior to the release of this product if attempting to build a resilient Vault cluster you also had to understand their Consul product too.
By moving Vault to a cloud-based architecture, AWS in the first instance, they lowered the administrative barrier by removing the overhead consummate with managing the infrastructure. There is no need to consider the benefits and downsides of virtual machines versus containers, single node or multi-node. On-site or managed in your cloud tenancy. Your organisation can concentrate on using it rather than running it. Because it is in HCP it will be multi-node and fully managed.
The first thing to remember is that this is currently only a beta product and as such it is currently only located on AWS and running in us-west-2, but it is fully expected that further regions will be supported as the beta project continues, it is further expected that Vault will appear on HCP on Azure in the future as happened with Consul. And just like a traditional Vault deployment, you can also enable secure networking for workloads across EKS, EC2, AWS Lambda, and many other AWS services.
How easy is it to deploy your new Vault Cluster?
Signing up to HCL is simple, navigate to portal.cloud.hashicorp.com/sign-in
If you already have an account simply log in, if not click the link titled “free account”
Fill in the two checkboxes and click the Sign up button.
As per the vast majority of Hashicorp services it integrates fully with your GitHub credentials. Assuming that you have one. Once you have logged in you are requested to add a payment method, this is not necessary at this time and you can pass through, you will receive an email from Hashicorp requesting verification of your account. Once down you will be presented with the following web-site.
You will notice that there is a $20 dollar credit, this is yours to play with. OK lets create a Vault deployment with in HCL. Click on the “Deploy Vault” button.
Enter your desired network name, – we chose “Amazic-Test-Deployment”. If you click on the dropdown box under Region selection you will notice that although HCP is available in multiple regions.
As expected you can only select a single region Oregon (us-west-2). For ease we are not changing the CIDR. To progress click “Create Network”
Once complete click on the “Hashicorp Virtual Network” link and you will find that this area is now populated with your entered details.
Before we move on to the creation of the Vault service, we will detail a little of what has gone on behind the scenes during the creation of the virtual network.
One of the main components of the HashiCorp Cloud Platform is the HashiCorp Virtual Network (HVN); this is a common platform that creates a common abstraction layer between all presented services and cloud providers, around an isolated single-tenant network.
Each organization (or tenant) within HCP is isolated into a separate AWS account. HCP then deploys a single-tenant VPC for each HashiCorp Virtual Network (HVN). All HCP resources are then deployed into that HCP Virtual Network, this ensures tenant isolation.
Let’s create a Vault Instance on our new HCP tenant
Here we have two options, we can either click the “+ Create Cluster” button from the already presented form or you can navigate to the Vault section of HCL by the “Vault” link and click the same “+ Create Cluster” button. Both buttons lead to the same workflow.
Enter your desired cluster name.
You will notice that we have selected the ability to connect to the Vault cluster from an external location, this is not recommended for production environments but as this is a test deployment it is not too great an issue. Click “Create Cluster” to continue the service deployment.
The cluster creation takes approximately 15 minutes so it’s time to grab your favorite beverage, and snack, and relax for a short while. Once complete you will be shown something similar to that shown below.
Now the initial deployment has completed, your environment is fully managed by HashiCorp. Hashicorp manages Vault instance’s overall health, snapshots, monitoring, and a plethora of other operational tasks, all of which are handled in the background by the engineering teams that build and maintain the core Vault product. Operational issues can be resolved efficiently since logs are readily available to operators. An added advantage is that you as the consumer of the service do not even have to worry about potential cloud provider maintenance events that can often cause a virtual machine to be decommissioned as these are also automatically dealt with on your behalf.
Once the Vault cluster is deployed by HCP, you can interact with it using a generated admin-level token. To create this token click the rather obviously named “+Create Token button”.
To gain access to the token click the copy icon to collect it, however, unlike a private instance there is no need to store this token. This is because it only has a time to live of 6 hours and as such is a throwaway artifact. But worry not, as you can re-generate this token from the HCP console. Once the token is generated and copied let us login to our newly created instance.
So to access the website click on the link titled “public” to collect the cluster URL, this will copy the URL and then load it into your favorite browser, use the token you generated earlier to log into your instance.
And hey presto, you are now logged into your Vault instance. You can interact with it just like any other Vault instance, either via the GUI or via the console
Here we have the familiar Vault GUI interface, where you can enable your secret engines, create policies in exactly the same way as you used to do in your private environment. you can also use the API to create secrets as shown below
$ export VAULT_ADDR="https://[AWS_VAULT_CLUSTER_ADDRESS_HERE]:8200"; $ export VAULT_NAMESPACE="admin" $ export VAULT_TOKEN=[ENTER_TOKEN_HERE] $ vault secrets enable -path=kv kv Success! Enabled the kv secrets engine at: kv/ $ vault kv put kv/hello public=beta Success! Data written to: kv/hello $ vault kv get kv/hello ===== Data ===== Key Value --- ----- public beta
So what are you waiting for? Jump on the public beta today: it is free of charge and they even give you $20 in cloud credit to help you get started.
In my next post we will look at migrating our current Vault environment running an earlier version of Vault on AWS into HCP and then verifying that our Terraform scripts will still run against AWS using credentials created from the HCP based Vault.