Reputation: 11
Steps to be followed to run vault as a service( vault starts when the server starts ) also the root token needs to be permanent?
I have followed many pages , that asked to write the service file. But each time the server is initialized, it triggers a new root token. Vault needs to be installed in a production environment and root token should be always the same as our application uses it.
Upvotes: 1
Views: 2241
Answers (2)
Reputation: 8876
First, get a Consul Backend in place.
Add this file to /etc/vault.d/vault.hcl:
storage "consul" {
address = "127.0.0.1:8500"
path = "vault/"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
The storage "consul" { "stanza" tells Vault to use Consul as a back-end.
https://learn.hashicorp.com/vault/getting-started/deploy#configuring-vault
To install Consul, just follow the directions from HashiCorp:
To install Consul, find the appropriate package for your system and download it. Consul is packaged as a zip archive.
After downloading Consul, unzip the package. Consul runs as a single binary named consul. Any other files in the package can be safely removed and Consul will still function.
The final step is to make sure that the consul binary is available on the PATH. See this page for instructions on setting the PATH on Linux and Mac. This page contains instructions for setting the PATH on Windows.
Starting a local Consul instance takes only a few minutes. Just follow the Consul > Getting Started Guide up to the point where you have installed Consul and started > it with this command:
$ consul agent -dev
After you have Consul, there are publicly available SystemD unit files available that you can install.
If you have a Consul back-end in place, I've used something like the following when I want Vault to "start when the server starts":
#!/usr/bin/env bash
sudo bash -c "cat >/etc/systemd/system/vault.service" << 'EOF'
[Unit]
Description=SystemD Vault Service
[Service]
Restart=on-failure
PermissionsStartOnly=true
ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault
ExecStart=/usr/local/bin/vault server -config /etc/vault.d
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM
User=vault
Group=vault
[Install]
WantedBy=multi-user.target
EOF
sudo chmod 0664 /etc/systemd/system/vault*
https://github.com/v6/super-duper-vault-train/blob/develop/vaultsystemd.sh#L4-L20
For further reading, though, I recommend doing your own research to find something to fit your use case:
https://duckduckgo.com/?q=vault+systemd+scripts
https://groups.google.com/forum/#!topic/vault-tool/E6Ny7SKx5x0
Finally, if you want to try out a cluster with Vault and Consul running in non -dev mode, I not-so-humbly recommend trying out the Vagrantfile I've been using:
https://github.com/v6/super-duper-vault-train#vagrant
Upvotes: 1
Reputation: 1379
It sounds like you are running Vault in Dev mode, with the -dev switch...?
You need to initialise permanently with vault operator init.
Also, your application should not use the root token - use App Roles to authenticate your app.
Upvotes: 1
Related Questions
- UserPass Authentication Vault
- Manually Creating a Root Token in Vault (the hard way)
- Unable to initialise vault
- How to start Hashocorp vault as a Service and access from another EC2 instance?
- How to register vault (Hashicorp-vault) as a service in consul (Hashicorp-consul), I am using kubernetes?
- Get secret from hashicorp vault using java application with service token
- How to use non-root vault token for vault login in spring boot
- Is there a way to run HashiCorp Vault as a Windows Service?
- How to setup vault on an external server
- How do I set up username/password authentication with Hashicorp Vault