- Auto Unseal with AWS KMS
- Dynamic Database Secrets with RDS MySQL
- AWS IAM Authentication
- Encryption as a Service
- Automated PKI cert rotation
- Tokenization with PostgreSQL
- Format-Preserving Encryption
- Fork this repo (https://github.com/kevincloud/vault-aws-demo.git)
- Create a workspace in Terraform Cloud using your newly-forked repo as the VCS
- Create the following variables either by updating
terraform.tfvars
if you'r using CLI or API driven runs or using Terraform Cloud/Enterprise provider (Step 4)aws_region
: The region to create these resources in. Default isus-east-1
key_pair
: This is the key pair for being able to SSH into the EC2 instances. It assumes you already have a key pair in the region you're deploying in (Required)instance_type
: The name of the instance type to create for each EC2 instance. Default ist3.small
db_instance_type
: The name of the instance type to use for the MySQL and PostgreSQL RDS instances. Default ist3.small
num_nodes
: The total number of nodes to create for the cluster. This should be1
,3
, or5
to satisfyraft
requirements.db_user
: The username for the database instances. Default isroot
db_pass
: The password for the database instances. Requiredmysql_dbname
: The MySQL DB instance name. Default issedemovaultdb
postgres_dbname
: The PostgreSQL DB instance name. Default istokenizationdb
kms_key_id
: Your KMS Key ID to use for Auto Unseal. Requiredvault_dl_url
: The download URL for Vault. Default points to version 1.9.0vault_license
: The Vault Enterprise license key. Default is empty (not required)consul_tpl_url
: The download URL for Consul Template. Default points to 0.27.2autojoin_key
: The tag key used for Raft Storage auto-join. Default isvault_server_cluster
autojoin_value
: The tag value used for Raft Storage auto-join. Default isvault_raft
prefix
: A unique identifier to use when naming resources. Requiredgit_branch
: The git branch to use when cloning this repo for running scripts. Default ismaster
owner
: The email address of the person setting up this demo. Requiredse_region
: The region of the SE setting up this demo. Requiredpurpose
: The purpose of this coonfiguration. Default is already setttl
: The time-to-live for this configuration. Requiredterraform
: Whether this configuration is managed by Terraform. Default istrue
- If you're using Terraform Enterprise/Cloud, you can use the
tfe
Terraform provider undertfe
subdirectory and update the variables in your workspace. Then runterraform init
andterraform apply
to push all variables to your TFE/TFC workspace. (You need to make sure you have exported your TFE/TFC TOKEN as an enviornment variable) - Add your AWS credentials as environment variables (this should be done through Doormat)
doormat aws --account $AWS_ACCOUNT_NUMBER --tf-push --tf-workspace $TFC_WORKSPACE --tf-organization $TFC_ORGANIZATION
-
Now you can trigger a run to deploy the demo setup!
-
Once the infrastructure is deployed login to the vault server. The
vault-login
output from terraform contains an ssh command, though the key name and location may need to be modified to match your environment. -
SSH into the Vault server and ensure it's up and unsealed. Note: recovery key is in
/root/init.txt
vault status
...to ensure all settings are correct:
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 1
Threshold 1
Version 1.1.0
Cluster Name vault-cluster-efcdaac3
Cluster ID efe63829-a886-1d8d-3c5e-73cb5bc5cf3f
HA Enabled false
Some fake credentials were automatically added to vault during setup. To verify all data is still intact, simply look up your credentials:
vault kv get secret/creds
You should see:
====== Metadata ======
Key Value
--- -----
created_time 2019-04-05T18:01:18.980320626Z
deletion_time n/a
destroyed false
version 1
====== Data ======
Key Value
--- -----
password Super$ecret1
username vault_user
From here you can launch each of the demos by executing the run_interactive.sh
script found within each demo subdirectory or run them all using runall.sh
/root # ls -l
total 44
drwxr-xr-x 2 root root 4096 Nov 23 21:02 01_database
drwxr-xr-x 2 root root 4096 Nov 23 21:02 02_ec2auth
drwxr-xr-x 4 root root 4096 Nov 23 21:02 03_eaas
drwxr-xr-x 2 root root 4096 Nov 23 21:02 04_pki
drwxr-xr-x 2 root root 4096 Nov 23 21:02 05_tokenization
drwxr-xr-x 2 root root 4096 Nov 23 21:02 06_fpe
-rw-r--r-- 1 root root 267 Nov 23 21:02 init.txt
-rwxr-xr-x 1 root root 215 Nov 23 21:03 resetall.sh
-rwxr-xr-x 1 root root 1764 Nov 23 21:03 runall.sh
Summary Simple workflow to showcase dynamic database credentials for RDS MySQL. Demo will walk you through setting up two users, James(Operator) and Sally (AppDev), each with a policy that either allows them (James) or denies them (Sally) from generating database credenetials.
Summary Simple workflow to showcase authenticating into Vault using the ec2's instance profile. Vault utilizes the AWS auth engine to validate the ec2 identity using its pkcs7 identity against the AWS API. Once validated, Vault returns a valid token with the attached policies.