Skip to content
Automate the initialization and unsealing of HashiCorp Vault on Google Cloud Platform.
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
vendor add vault-init Apr 26, 2018
Dockerfile Fix memory leak, better logging, improved performance Jun 6, 2018
Gopkg.lock add vault-init Apr 26, 2018
Gopkg.toml add vault-init Apr 26, 2018
LICENSE add vault-init Apr 26, 2018
README.md Add section on auth and permissions Aug 7, 2018
main.go Only request storage.read_write instead of full control Aug 7, 2018
statefulset.yaml add vault-init Apr 26, 2018

README.md

vault-init

The vault-init service automates the process of initializing and unsealing HashiCorp Vault instances running on Google Cloud Platform.

After vault-init initializes a Vault server it stores master keys and root tokens, encrypted using Google Cloud KMS, to a user defined Google Cloud Storage bucket.

Usage

The vault-init service is designed to be run alongside a Vault server and communicate over local host.

Kubernetes

Run vault-init in the same Pod as the Vault container. See the vault statefulset for a complete example.

Configuration

The vault-init service supports the following environment variables for configuration:

  • CHECK_INTERVAL - The time in seconds between Vault health checks. (300)
  • GCS_BUCKET_NAME - The Google Cloud Storage Bucket where the vault master key and root token is stored.
  • KMS_KEY_ID - The Google Cloud KMS key ID used to encrypt and decrypt the vault master key and root token.

Example Values

CHECK_INTERVAL="300"
GCS_BUCKET_NAME="vault-storage"
KMS_KEY_ID="projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/key"

IAM & Permissions

The vault-init service uses the official Google Cloud Golang SDK. This means it supports the common ways of providing credentials to GCP.

To use this service, the service account must have the following minimum scope(s):

https://www.googleapis.com/auth/cloudkms
https://www.googleapis.com/auth/devstorage.read_write

Additionally, the service account must have the following minimum role(s):

roles/cloudkms.cryptoKeyEncrypterDecrypter
roles/storage.objectAdmin OR roles/storage.legacyBucketWriter

For more information on service accounts, please see the Google Cloud Service Accounts documentation.

You can’t perform that action at this time.