The scope of this repository is to provide the steps for deploying Vault with Auto-unseal using KMS in GCP
These assets are provided to perform the tasks described in the Auto-unseal with Google Cloud KMS guide and adapted for a workout example.
- Website: https://www.vaultproject.io
- Announcement list: Google Groups
- Discussion forum: Discuss
- Documentation: https://www.vaultproject.io/docs/
- Tutorials: HashiCorp's Learn Platform
- Certification Exam: Vault Associate
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.
Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at security@hashicorp.com.
- Website: https://www.terraform.io
- Forums: HashiCorp Discuss
- Documentation: https://www.terraform.io/docs/
- Tutorials: HashiCorp's Learn Platform
- Certification Exam: HashiCorp Certified: Terraform Associate
Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions.
- Install Terraform.
- Install Vault client - enables the option to test access of vault server from local system.
- Install the gcloud CLI, configure and enable Cloud Key Management Service KMS API.
- Install gh.
- At least 2 variables must be present into environment in order to make the procedure valid: PROJID and SACC. Those 2 variables must be loaded into environment prior to continue this workout example. In this case, a sourced file, variables-kms-unseal.source, with the correct values mut be provided in the upper directory hierarchy.
- Enable KMS API for project number.
- For example, PROJNAME=$(gcloud projects describe $PROJID --format json|jq -c '.projectNumber') && eval PROJNAME=$PROJNAME gcloud services enable cloudkms.googleapis.com
For all commands in one go, execute the shell snip create_and_unseal_vault.sh having as default the creation of the KMS keyring and unseal key.
- Set this location as your working directory
gh repo clone florintp-onboarding/gcp-kms-unseal
- Use the GCP account information in the 'terraform-without-keyring.tfvars' and save it as 'terraform.tfvars'. This will change on creation of a new project! Complete the variables in ../variables-kms-unseal.source. PROJID - for project id SACC - for service account like in
export PROJID=<your_projectid>
export SACC=<projectname-test>
- Load the default variables
source ../variables-kms-unseal.source
- Create a serviceAccount and generate the JSON key using the IAM-Admin and Enable IAM API
gcloud -q iam service-accounts create $SACC \
--description="Vault Service Account" \
--display-name="$SACC"
- List all the service accounts
gcloud -q iam service-accounts list
- Generate the JSON key
gcloud -q iam service-accounts keys create service_account-$SACC-key.json \
--iam-account=$SACC'@'${PROJID}'.iam.gserviceaccount.com'
- Check the key list
gcloud -q iam service-accounts keys list \
--iam-account=$SACC'@'${PROJID}'.iam.gserviceaccount.com'
- Add rol-bindings to the service account
[[ "X$PROJID" == "X" ]] ||gcloud -q projects add-iam-policy-binding $PROJID \
--member='serviceAccount:'$SACC'@'${PROJID}'.iam.gserviceaccount.com' \
--role='roles/editor'
[[ "X$PROJID" == "X" ]] || gcloud -q projects add-iam-policy-binding $PROJID \
--member='serviceAccount:'$SACC'@'${PROJID}'.iam.gserviceaccount.com' \
--role='roles/compute.admin'
[[ "X$PROJID" == "X" ]] || gcloud -q projects add-iam-policy-binding $PROJID \
--member='serviceAccount:'$SACC'@'${PROJID}'.iam.gserviceaccount.com' \
--role='roles/cloudkms.admin'
# At first RUN, the keyring and key must be created
cp main.tf_with_key_creation main.tf
# After keyring already present
# cp main.tf_without_key_creation main.tf
ln -s service_account-$SACC-key.json gcloud-vault-test1.json
cat terraform.tfvars.example|egrep -v 'key_ring|crypto_key|keyring_location' | sed "s/<PROJECT_ID>/$PROJID/g ; s/<ACCOUNT_FILE_PATH>/\.\/gcloud-vault-test1.json/g" > terraform.tfvars
echo 'key_ring = "test"' >> terraform.tfvars
echo 'crypto_key = "vault-test1"' >> terraform.tfvars
echo 'keyring_location = "global"' >> terraform.tfvars
- Create infrastructure using Terraform
- initialize working directory
terraform init
- plan, to see what resources will be created
terraform plan
- create resources
terraform apply -auto-approve
- observe the information output after execution of the terraform plan
terraform output
eval $(terraform output|egrep '^nodename|^zone'|sed "s/ //g")
gcloud -q compute ssh --zone=${zone} ${nodename} --project ${PROJID}
- Check the Vault server status
sudo VAULT_ADDR=http://127.0.0.1:8200 vault status
sudo VAULT_ADDR=http://127.0.0.1:8200 vault operator init
sudo VAULT_ADDR=http://127.0.0.1:8200 vault status
sudo systemctl stop vault
sudo systemctl start vault
sudo systemctl status vault
sudo VAULT_ADDR=http://127.0.0.1:8200 vault status
- Explore the Vault configuration file on the compute node
cat /test/vault/config.hcla
- (On a different terminal window) Rotate key and see that the vault is still able to unseal. A manual rotation of the key may be executed from GGP Console:
gcloud kms keys update vault-test1 \
--location global \
--keyring test \
--rotation-period 2d \
--next-rotation-time 1d
- Cleanup may be performed step by step or in one go by simply executing the shell snip cleanall.sh.
terraform destroy -auto-approve
for i in $(gcloud iam service-accounts keys list --iam-account=$SACC'@'${PROJID}'.iam.gserviceaccount.com'|grep -v 'KEY_ID'|awk '{print $1}') ; do
gcloud -q iam service-accounts keys delete $i --iam-account=$SACC'@'${PROJID}'.iam.gserviceaccount.com'
done
rm -f terraform.tfstate terraform.tfstate.backup gcloud-vault-test1.json
- Delete the serviceAccount
[[ "X$PROJID" == "X" ]] || gcloud -q iam service-accounts delete \
$SACC'@'${PROJID}'.iam.gserviceaccount.com'