HOWTO: Installing Vault on AWS Linux

howto-installing-vault-on-aws-linux.md

HOWTO: Installing Vault On an AWS Ubuntu EC2 server

This is quick howto for installing vault on AWS Linux, mostly to remind myself. At the end of this tutorial, you'll have a working vault server, using s3 for the backend, self signed certificates for tls, and supervisord to ensure that the vault server is always running, and starts on reboot.

Setting up S3

First things first, let's set up an s3 bucket to use as the storage backend for our s3 instance.

1. From the AWS Mangement Console, go to the S3 console.

2. Click on the Create Bucket button

3. Name it something

IAM Stuff

Next, let's create an IAM Policy with full access to our newly created bucket. We'll also create an IAM Role and IAM User in this step, but this should not be neccessary once Vault v5 is released.

1. From the AWS Management Console, go the IAM console.

2. Click on Policies in the sidenav

3. Click on Create Policy

4. Select S3 from the service section

5. Select All Actions (s3:*) from the Actions section

6. Open the Resources section and select Add ARN in the bucket section

7. Enter: arn:aws:s3:::<your_bucket_name>

8. Add another ARN: arn:aws:s3:::<your_bucket_name>/* (this is required to let vault manage all keys within the bucket)

9. Click Review Policy

10. Give the policy a name: s3-vault-full-access

11. Click Create Policy

Next, we create an IAM Role and attach our policy to it. We will use this role as the EC2 instance role later on.

1. Click on Roles in the side nav

2. Click Create Role

3. Under Create Role, select AWS Service and then EC2, then click Next: Permissions

4. Find our newly created s3-vault-full-access policy, select it and click Next: Tags

5. Add tags, if you want, then click Next: Review

6. Give the role a name: vault-ec2

7. Lastly, click Create Role

Create a vault user

1. Click on Users from the side nav

2. Click on Add User

3. Enter a username: vault

4. Select Programmatic access from the Select AWS access type section

5. Click Next: Permissions

6. Click Attach existing policies directly

7. Select the s3-vault-full-access policy.

8. Click Next: Tags, then Next: Review

9. Click Create User

10. Save/download the security credentials on the next screen and click Close

11. Back to the Users screen, and click on our newly created user

Launch EC2

Ok, now it's time to launch an ec2 that will act as our Vault server.

1. From the AWS Management Console, go to the EC2 console.

2. Click Launch Instance

3. Select the most recent Ubuntu Server LTS

4. Select an appropriate size, for this tutorial, I'll use a t2.nano

5. Click Next: Configure Instance Details

6. Under IAM role, select the IAM Role we created earlier (s3-vault-full-access)

7. Click Next: Add Storage

8. The default storage is fine, so click Next: Add Tags

9. Add tags, if you want

10. Click Next: Configure Security Group

11. Give your security group a name: vault

12. Give your security group a description: vault server security group

13. Click Add Rule

14. Select Custom TCP Rule and define a port range: 8200

15. Under source, for the purposes of this tutorial, select My IP. However, in production, you should restrict this port to the security groups of the servers that require access to vault.

16. Click Review and Launch

17. Click Launch

18. If you have an existing key-pair, you can use it, or create a new one and download it

19. Lastly, click Launch Instances and then View Instances

Assign a domain to the EC2 instance

Use your preferred method for pointing a domain (e.g. vault.netsensia.com) to your new EC2 instance.

Generating a Let's Encrypt certificate

1. Temporarily enable inbound ports 80 and 443 from Anywhere, and port 22 from your local machine
2. Login to the EC2 box using your generated key: e.g. ssh -i ~/Downloads/vault-key.pem [email protected]
3. Run the following commands

sudo apt-get update -y
sudo git clone https://github.com/certbot/certbot /opt/letsencrypt
cd /etc
sudo mkdir letsencrypt
cd
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto certonly --standalone --debug -d YOUR_DOMAIN
sudo bash
chown ubuntu:ubuntu /etc/letsencrypt/live/YOUR_DOMAIN/*.pem

3. Remove the inbound rules added in step 1

Note that you will need to re-instate the inbound rules to renew the certificate.

Have a job set to run each day with the following command to avoid the certicate expiring after three months, or, alternatively, wait for it to expire and then run the command.

You will need to ensure that no services such as web servers are running on port 443.

Installing Vault

Once the instance has finished initializing, it's time to download the Vault binary and unpack it.

1. update the instance

sudo apt-get -y update

2. install Vault (find the latest binary on the vault project page)

cd
wget https://releases.hashicorp.com/vault/1.1.0/vault_1.1.0_linux_amd64.zip

3. unzip it

sudo apt-get install unzip
unzip vault_1.1.0_linux_amd64.zip

4. move the binary

sudo mv vault /usr/local/bin/vault

5. verify that Vault is ready to go

vault version

6. create the vault configuration file

touch vault-config.hcl

7. edit the file

vi vault-config.hcl

8. define the vault configuration like so.

listener "tcp" {
    address = "0.0.0.0:8200"
    tls_cert_file="/home/ec2-user/.ssl/server.crt"
    tls_key_file="/home/ec2-user/.ssl/server.key"
}

backend "s3" {
    bucket = "<your_bucket_name>"
    region = "eu-west-2"
}

disable_mlock=true

Installing supervisord

Next, we install supervisord, which will simplify the whole "let's get Vault running as a service, and have it start on reboot, blah blah blah"

1. install supervisor

sudo apt-get install -y supervisor

2. create a new supervisord configuration file

echo_supervisord_conf > supervisord.conf

3. modify the configuration file

   • under [unix_http_server]
     • change ;chmod=0700 to chmod=0766
   • change the ;[program:theprogramname] header to [program:vault]
   • under [program:vault]
     • change ;command=/bin/cat to command=/usr/local/bin/vault server -config=/home/ubuntu/vault-config.hcl
     • change ;user=chrism to user=ubuntu
     • change ;autostart=true to autostart=true
     • change ;environment=A="1",B="2" to environment=AWS_ACCESS_KEY_ID="<your_access_key_id>",AWS_SECRET_ACCESS_KEY="<your_secret_access_key>", where <your_access_key_id> and <your_secret_access_key> are the credentials you downloaded/wrote down when we created the vault user.

4. Move the file

sudo mv supervisord.conf /etc/supervisor/

5. add the supervisor init script to chkconfig services

sudo update-rc.d supervisord defaults

5. start the supervisord service

sudo service supervisor start
supervisorctl

Initialise the vault

Exit out of the Linux VM

exit

Create a key, require only the one key to unseal the vault.

export VAULT_ADDR=<vault url>:8200
vault init -key-shares=1 -key-threshold=1

Hi,
The last step before initializing Vault has failed for me. Calling "supervisorctl" resulted
"FATAL Exited too quickly (process log may have details)". Any idea what can be the reason or how to troubleshoot it?

Thanks,
Yossi