This is quick howto for installing vault on AWS Linux, mostly to remind myself. At the end of this tutorial, you'll have a working vault server, using s3 for the backend, self signed certificates for tls, and supervisord to ensure that the vault server is always running, and starts on reboot.
First things first, let's set up an s3 bucket to use as the storage backend for our s3 instance.
-
From the AWS Mangement Console, go to the S3 console.
-
Click on the
Create Bucket
button -
Name it something
Next, let's create an IAM Policy with full access to our newly created bucket. We'll also create an IAM Role and IAM User in this step, but this should not be neccessary once Vault v5 is released.
-
From the AWS Management Console, go the IAM console.
-
Click on Policies in the sidenav
-
Click on Create Policy
-
Select the Policy Generator option, because it's easy.
-
Select Amazon S3 from the AWS Service dropdown
-
Select All Actions (*) from the Actions dropdown
-
Enter the Amazon Resource Name:
arn:aws:s3:::<your_bucket_name>
-
Click Add Statement
-
Next, repeat steps 5-8, except use the following ARN:
arn:aws:s3:::<your_bucket_name>/*
(this is required to let vault manage all keys within the bucket) -
Click Next Step
-
Give the policy a name:
s3-vault-full-access
-
Click
Add Policy
Next, we create an IAM Role and attach our policy to it. We will use this role as the EC2 instance role later on.
-
Click on Roles in the side nav
-
Click Create New Role
-
Give the role a name:
vault-ec2
-
Click
Next Step
-
Under Select Role Type, select Amazon EC2 from the AWS Service Roles section
-
Attach our newly created
s3-vault-full-access
policy to the role and click Next Step -
Lastly, review our role, and click Create Role
Lastly, due to a bug in the current version of vault (v4.1), we create a new user and assign the policy to it. We will then generate access keys for this user to use when initializing vault.
-
Click on Users from the side nav
-
Click on Create New Users
-
Enter a username:
vault
and click Create -
Save/download the security credentials on the next screen
-
Back to the Users screen, and click on our newly created user
-
Under the Permissions tab, click Attach Policy
-
Select the
s3-vault-full-access
policy and attach it.
Ok, now it's time to launch an ec2 that will act as our Vault server.
-
From the AWS Management Console, go to the EC2 console.
-
Click Launch Instance
-
Select the most recent Amazon Linux AMI, usually at the top
-
Select an appropriate size, for this tutorial, I'll use a t2.nano
-
Click Next: Configure Instance Details
-
Under IAM role, select the IAM Role we created earlier (
vault-ec2
) -
Click Next: Add Storage
-
The default storage is fine, so click Next: Tag Instance
-
Give your instance a name tag:
vault
-
Click Next: Configure Security Group
-
Give your security group a name:
vault
-
Give your security group a description:
vault server security group
-
Click Add Rule
-
Select Custom TCP Rule and define a port range:
8200
-
Under source, for the purposes of this tutorial, select My IP. However, in production, you should restrict this port to the security groups of the servers that require access to vault.
-
Click Review and Launch
-
Click Launch
-
If you have an existing key-pair, you can use it, or create a new one and download it
-
Lastly, click Launch Instance and then View Instances
Now, we're going to generate a self-signed certificate to use with vault. You can go ahead and skip this step if you already have an ssl certificate to use. Note: these steps were taken from http://www.akadia.com/services/ssh_test_certificate.html
- Create a directory to hold the ssl stuff
mkdir .ssl && cd .ssl
- Generate a private key, remember the password you use
openssl genrsa -des3 -out server.key 1024
- Generate a CSR (Certificate Signing Request). This will prompt you to enter some details, go ahead and skip the challenge password part by pressing
enter
.
openssl req -new -key server.key -out server.csr
- Remove passhprase from key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
- Generate a Self-Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
- Minor cleanup, discard the temporary key file
rm server.key.org && cd
Once the instance has finished initializing, it's time to download the Vault binary and unpack it.
- ssh into the ec2 instance
ssh -i <path/to/key.pem> ec2-user@<ec2-dns>
note: if this is a new key, you may receive a permission denied error, in which case, modify the key permissions and try again.
chmod 0700 <path/to/key.pem>
- update the instance
sudo yum update
- install Vault (find the latest binary on the vault project page)
wget https://releases.hashicorp.com/vault/0.4.1/vault_0.4.1_linux_amd64.zip
- unzip it
unzip vault_0.4.1_linux_amd64.zip
- move the binary
sudo mv vault /usr/local/bin/vault
- verify that Vault is ready to go
vault version
- create the vault configuration file
touch vault-config.hcl
- edit the file
nano vault-config.hcl
- define the vault configuration like so
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file="/home/ec2-user/.ssl/server.crt"
tls_key_file="/home/ec2-user/.ssl/server.key"
}
backend "s3" {
bucket = "<your_bucket_name>"
region = "us-west-2"
}
disable_mlock=true
- exit and save (control+x to exit, y to save)
Next, we install supervisord, which will simplify the whole "let's get Vault running as a service, and have it start on reboot, blah blah blah"
- install
supervisor
sudo easy_install supervisor
- create a new
supervisord
configuration file
echo_supervisord_conf > supervisord.conf
- modify the configuration file
- under
[unix_http_server]
- change
;chmod=0700
tochmod=0766
- change
- change the
;[program:theprogramname]
header to[program:vault]
- under
[program:vault]
- change
;command=/bin/cat
tocommand=vault server -config=/home/ec2-user/vault-config.hcl
- change
;user=chrism
touser=ec2-user
- change
;environment=A="1",B="2"
toenvironment=AWS_ACCESS_KEY_ID="<your_access_key_id",AWS_SECRET_ACCESS_KEY="<your_secret_access_key>"
, where<your_access_key_id>
and<your_secret_access_key>
are the credentials you downloaded/wrote down when we created thevault
user.
- change
- under
Lastly, we need to configure supervisord
to start on init.
- create a new init script
sudo touch /etc/init.d/supervisord
- edit the file contents:
#!/bin/sh
# Amazon Linux AMI startup script for a supervisor instance
#
# chkconfig: 2345 80 20
# description: Autostarts supervisord.
# Source function library.
. /etc/rc.d/init.d/functions
supervisorctl="/usr/local/bin/supervisorctl"
supervisord="/usr/local/bin/supervisord"
name="supervisor-python"
[ -f $supervisord ] || exit 1
[ -f $supervisorctl ] || exit 1
RETVAL=0
start() {
echo -n "Starting $name: "
$supervisord -c /home/ec2-user/supervisord.conf
RETVAL=$?
echo
return $RETVAL
}
stop() {
echo -n "Stopping $name: "
$supervisorctl shutdown
RETVAL=$?
echo
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
esac
exit $REVAL
- make the init script executable
sudo chmod +x /etc/init.d/supervisord
- add the supervisor init script to chkconfig services
sudo chkconfig --add supervisord
- start the supervisord service
sudo service supervisord start
supervisorctl
I got an error on the last line