Provides a simple Docker environment for tinkering with Vault and utlizing Consul as the storage backend.
Allow direnv
to get the environment right
$ direnv allow
direnv: loading .envrc
direnv: using hashicorp consul 1.1.0
direnv: using hashicorp vault 0.10.1
direnv: export +LOCAL_IP +PROJECT_DIR +VAULT_ADDR ~PATH
Bring the environment up with docker-compose
. Running in detached mode puts the sandbox in the background.
$ docker-compose up -d
Creating vault ... done
Creating consul ... done
Initialize Vault with only 1 key. We're just tinkering here!
A production environment should minimally utilize the default key share to threshold ratio of 5:3.
$ vault operator init -key-shares=1 -key-threshold=1
Unseal Key 1: /6CIyLXyZYJ1jIvfeWFL5CD/pKmuCuFaETelW86adPU=
Initial Root Token: d7cb154b-c54b-dc63-d955-29ef7b79ad00
Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 1 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault rekey" for more information.
Unseal vault with the provided key
$ vault operator unseal /6CIyLXyZYJ1jIvfeWFL5CD/pKmuCuFaETelW86adPU=
Key Value
--- -----
Seal Type shamir
Sealed false
Total Shares 1
Threshold 1
Version 0.10.1
Cluster Name vault-cluster-e1e5103e
Cluster ID 0b09acc2-677e-f2e1-ac1f-7fc2cd6031a2
HA Enabled true
HA Cluster n/a
HA Mode standby
Active Node Address <none>
Export the provided root token so we are able to operate our Vault
$ export VAULT_TOKEN=d7cb154b-c54b-dc63-d955-29ef7b79ad000
Check the status of the Vault
$ vault status
Key Value
--- -----
Seal Type shamir
Sealed false
Total Shares 1
Threshold 1
Version 0.10.1
Cluster Name vault-cluster-e1e5103e
Cluster ID 0b09acc2-677e-f2e1-ac1f-7fc2cd6031a2
HA Enabled true
HA Cluster https://10.10.0.10:444
HA Mode active
List the default secrets
$ vault secrets list
Path Type Description
---- ---- -----------
cubbyhole/ cubbyhole per-token private secret storage
identity/ identity identity store
secret/ kv key/value secret storage
sys/ system system endpoints used for control, policy and debugging