MenuBar

Configuring Vault by Hashicorp in AWS EC2

April 15, 2019

Vault Quick Start in EC2

Create an S3 Bucket for Vault

aws s3 create-bucket --bucket VAULT_BUCKET_NAME

Create a Vault IAM User

Create two policies and attach them to a user, Vault.

Allow access to the newly created S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": ["arn:aws:s3:::VAULT_BUCKET_NAME/*"]
    }
  ]
}

Allow IAM actions required by Vault: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachUserPolicy",
                "iam:CreateAccessKey",
                "iam:CreateUser",
                "iam:DeleteAccessKey",
                "iam:DeleteUser",
                "iam:DeleteUserPolicy",
                "iam:DetachUserPolicy",
                "iam:ListAccessKeys",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroupsForUser",
                "iam:ListUserPolicies",
                "iam:PutUserPolicy",
                "iam:RemoveUserFromGroup"
            ],
            "Resource": [
                "arn:aws:iam::{AWS_ACCOUNT_ID}:user/vault-*"
            ]
        }
    ]
}

Create a New Security Group

aws ec2 create-security-group --group-name vault-sg --description Vault | jq -r '.GroupId'

Expose Ports 22 and 8200

aws ec2 authorize-security-group-ingress --group-name vault-sg --protocol tcp --port 22 --cidr '0.0.0.0/0'
aws ec2 authorize-security-group-ingress --group-name vault-sg --protocol tcp --port 8200 --cidr '0.0.0.0/0'

Create an EC2 Instance

Create an EC2 instance with the latest AMI, using the vault-sg security group and the IAM user created above.

Wait a moment and SSH into the instance, then install Vault as follows:

cd /tmp && wget https://releases.hashicorp.com/vault/1.1.1/vault_1.1.1_linux_amd64.zip
unzip vault_1.1.1_linux_amd64.zip
cp vault /usr/bin/vault
vault --version

Make a Vault data directory:

mkdir -p /etc/vault.d

Configure Vault:

touch /etc/vault.d/vault.hcl

Add the following configuration to vault.hcl:

ui = true
listener "tcp" {
  address = "0.0.0.0:8200"
}
backend "s3" {
  bucket = "YOUR_AWS_BUCKET"
  region = "us-east-1"
}

Add systemd service file for Vault:

[Unit]
Description=Vault
Requires=network-online.target
After=network-online.target
[Service]
Restart=on-failure
ExecStart=/usr/bin/vault server -config /etc/vault.d/vault.hcl
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM
[Install]
WantedBy=multi-user.target

Start Vault:

service vault start

Find the public DNS associated with your EC2 instance and visit the url on port 8200:

https://ec2-xx-xx-xx-xx.compute-1.amazonaws.com:8200