Published: Feb 5, 2019 by Isaac Johnson
While Vault can be installed to a variety of platforms (www.vaultproject.io/downloads.html), one very straight forward approach that will work for later cloud migration is to use the published docker container.
To start, you will still need to download the Vault binary for your local machine in order to use the Vault client.
$ docker run -p 8200:8200
--cap-add=IPC_LOCK -d --name=dev-vault vault
# If you’ve already launched in the past but don’t see it running with docker ps, just start your vault:
$ docker run vault
# If you want to force a token (for automation later, this will become useful):
$ docker run -p 8200:8200
--cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=5l8v34FMhOVBozD9IAAkHREj' vault
==> Vault server configuration:
Api Address: http://0.0.0.0:8200
Cgo: disabled
Cluster Address: https://0.0.0.0:8201
Once launched, verify your container is listening on 8200, login with vault login.
#determine the IP
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
44597b284377 vault "docker-entrypoint.s…" 2 minutes ago Up 2 minutes 0.0.0.0:8200->8200/tcp vigorous_darwin
#login
vault login -address=http://0.0.0.0:8200
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token 5l8v34FMhOVBozD9IAAkHREj
token_accessor 5g5IJ5WZtfIrQ7KpWhFBWELq
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
One can create a credential file (plain text) and pass it in with “-” for non-interactive sessions.
You may also use the REST API to login non-interactively (everything you can do in the CLI can be done via API).
You may also use the REST API to login non-interactively (everything you can do in the CLI can be done via API)
One of the nice benefits of running containerized Vault is that you can run multiple instances simultaneously in developer mode simply by using different IPs of containers.
# using pod ip
docker inspect zen_chatterjee | grep IPAddress
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.2",
"IPAddress": "172.17.0.2",
$ sudo ifconfig lo0 alias 172.17.0.2
$ sudo vi /etc/hosts
$ cat /etc/hosts | grep vault.local
172.17.0.2 vault.local
$ vault login -address=http://vault.local:8200
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token 5l8v34FMhOVBozD9IAAkHREj
token_accessor 5g5IJ5WZtfIrQ7KpWhFBWELq
Vault binaries are built for a variety of platforms. While our examples above are using Mac and Linux, Windows works just as well:
D:\Vault>vault server -dev
==> Vault server configuration:
Api Address: http://127.0.0.1:8200
Cgo: disabled
Cluster Address: https://127.0.0.1:8201
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: (not set)
Mlock: supported: false, enabled: false
Storage: inmem
Version: Vault v1.0.1
Version Sha: 08df121c8b9adcc2b8fd55fc8506c3f9714c7e61
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variable:
$ set VAULT_ADDR=http://127.0.0.1:8200
Using the Windows Subsystem for Linux in Windows 10, you can use the linux binary as well.
You can see various server configurations here: https://www.vaultproject.io/docs/configuration/
One can now also install Vault into Kubernetes. This requires first a running consul instance (which also now has a helm chart as well):
Consul Helm Chart: https://github.com/helm/charts/tree/master/stable/consul
Vault Helm Chart: https://github.com/helm/charts/tree/master/incubator/vault
Hopefully this short guide helps get you going with launching a local Hashi Vault instance. Next time we’ll cover Vault Usage.