Testing or Prototype Environment // Running Vault in Docker for DEVELOPMENT PURPOSES ONLY
This is an attempt to document how to spin up a quick Open-Source instance of Vault in Docker for development purposes.
- Docker
- Vault CLI
- make
- jq
- curl
- PGP / pass
NOTE: In this mode, the data is NOT persistent
https://www.vaultproject.io/docs/concepts/dev-server https://www.vaultproject.io/docs/configuration/storage/in-memory
-
Start up Vault in "dev" mode in Docker Runtime:
make -f Makefile vault-setup-dev -
This will auto-unseal with access via Admin or Root token ==
root
https://www.vaultproject.io/docs/configuration/storage/filesystem
NOTE: This is inherently NOT secure and should only be used for development / prototyping purposes only.
Steps documented in the steps below can all be done in one command by running make against the vault-setup-all target: make -f Makefile vault-set-all
- Create directories on your node that will be mounted into the Vault Docker Container
OR
mkdir -p ~/volume/vault/config ~/volume/vault/file ~/volume/vault/logs ~/volume/vault/tlsmake -f Makefile vault-volume - Vault Configuration:
Copy theThis has been covered in the Makefile~/config.jsonconfiguration file to the${volume}/vault/configdirectory you created.vault-volume: #target& will pass configuration values to start Vault - Start up Vault in Docker Runtime:
make -f Makefile vault-setup - Inititiate and Unseal Vault
vault operator init: Initializes Vault and dumps output tokeys.jsonmake -f Makefile vault-initvault operator unseal: Unseals Vault with values fromkeys.jsonmake -f Makefile vault-unseal
- Log in to Vault with your new Initial Root Token (in
keys.jsonfile)vault login <token> - Set your environment variables for
VAULT_ADDRandVAULT_TOKEN
If you are successfully logged into Vault CLI via initial token but get errors like "Code: 403. Errors: * permission denied" when executing Vault CLI commands, you may need to "
tidy" your Vault tokens as per:
- hashicorp/vault#3859 (comment)
- hashicorp/vault#2661
- Command to tidy tokens:
curl -H "X-Vault-Token: $VAULT_TOKEN" -X POST http://127.0.0.1:8200/v1/auth/token/tidy
- Upon Vault service restart (or host node reboot), you will need to unseal again (no need to
vault-init #target). Run make against thevault-unseal #targetto unseal Vault assumingkeys.jsonfile is available for it to parse the Unseal Key(s).make -f Makefile vault-unseal
At this point, it would be good to do the following:
- Save the Shamir Unseal Key(s) & Initial Root Token in the
keys.jsonsomewhere safe - Create another token or
userpassaccount with admin level policy
- https://hub.docker.com/_/vault
- https://www.vaultproject.io/docs/concepts/dev-server
- https://www.vaultproject.io/docs/configuration/storage
- hashicorp/vault#3859 (comment)
- hashicorp/vault#2661
- https://github.com/jacobm3/vault-local-demo/blob/9f5cce33ba34ff2cde1bfe2183bdeca6251421f0/reinit.sh#L21
- https://github.com/MarkNjunge/vault-docker/blob/master/1-unseal.sh
DEPRECATED:
The init-unseal.sh script will perform:
- vault operator init
- Dump Shamir Unseal Key(s) and Initial Root Token into keys.json file
- vault operator unseal
- Run
init-unseal.shscript or do steps in the script manuallychmod 754 init-unseal.sh ./init-unseal.sh
Introduction Prerequisites Dev Mode File Volume Mode References Appendix