HashiCorp Vault on AWS Quickstart: how to connect to vault through bastion from localhost?

Question

I am following the AWS Quickstart quick here: https://aws-quickstart.s3.amazonaws.com/quickstart-hashicorp-vault/doc/hashicorp-vault-on-the-aws-cloud.pdf.

When my cloudformation stacks are deployed, I can ssh into Bastion, then ssh into Vault to initialize and unseal the vaults. However, I don't understand how I'm supposed to read and write secrets from my local machine into Vault using the Vault HTTP Api. Is this possible?

Answer 1

As mentioned in the AWS QuickStart, you'll want to set up fort forwarding via an SSH tunnel on the bastion host to communicate from your local machine to Vault (the idea being for Vault to be network-isolated from the public internet to reduce potential attack footprint). There are examples of how to set up port forwarding on linux or on Windows.

Alternatively, your use-case may not actually require Vault to be network isolated, in which case you can set the EC2 instance to have a public IP, and open port 8200 on the firewall (either to the entire internet or a specific subset of hosts). In this case, administrative access via SSH would still happen via the bastion host, but you can utilize the HTTP API / vault cli directly from your machine.

Hope this helps!

Answer 2

You need to set up a proxy, as for example as described here (you can use the bastion host).

Also, you need to configure your local machine using this proxy in the cli:

export http_proxy=<your_instance_ip:port>

After that, your vault commands will use this proxy for connecting to Vault inside in AWS.