# Cheat Sheet #day34 - HashiCorp Vault

## HashiCorp Vault Cheatsheet

### Basic Concepts

* **Vault**: A tool for securely storing and accessing secrets.
    
* **Secrets**: Sensitive data like API keys, passwords, certificates, etc.
    
* **Policies**: Rules that define what actions users can perform on secrets.
    
* **Authentication Methods**: Ways to verify a user's identity (e.g., tokens, LDAP, GitHub).
    
* **Backends**: Storage backends (where data is stored) and secrets backends (how data is managed).
    

### Starting Vault

1. **Install Vault**:
    
    * [Download Vault](https://www.vaultproject.io/downloads)
        
    * Install using package manager (e.g., `brew install vault` for macOS).
        
2. **Start Vault Server**:
    
    ```sh
    vault server -dev
    ```
    
3. **Export Address and Token**:
    
    ```sh
    export VAULT_ADDR='http://127.0.0.1:8200'
    export VAULT_TOKEN='your-root-token'
    ```
    

### Basic Commands

* **Initialize Vault**:
    
    ```sh
    vault operator init
    ```
    
* **Unseal Vault**:
    
    ```sh
    vault operator unseal <Unseal Key 1>
    vault operator unseal <Unseal Key 2>
    vault operator unseal <Unseal Key 3>
    ```
    
* **Check Vault Status**:
    
    ```sh
    vault status
    ```
    

### Authentication

* **Login with Token**:
    
    ```sh
    vault login <your-root-token>
    ```
    
* **Enable Authentication Method (e.g., Userpass)**:
    
    ```sh
    vault auth enable userpass
    ```
    
* **Create User (Userpass)**:
    
    ```sh
    vault write auth/userpass/users/<username> password=<password> policies=<policy>
    ```
    

### Secrets Management

1. **Enable a Secrets Engine**:
    
    ```sh
    vault secrets enable -path=secret kv
    ```
    
2. **Write a Secret**:
    
    ```sh
    vault kv put secret/my-secret key1=value1 key2=value2
    ```
    
3. **Read a Secret**:
    
    ```sh
    vault kv get secret/my-secret
    ```
    
4. **List Secrets**:
    
    ```sh
    vault kv list secret/
    ```
    
5. **Delete a Secret**:
    
    ```sh
    vault kv delete secret/my-secret
    ```
    

### Policies

1. **Create a Policy**:
    
    ```plaintext
    path "secret/*" {
      capabilities = ["create", "read", "update", "delete", "list"]
    }
    ```
    
2. **Write a Policy**:
    
    ```sh
    vault policy write my-policy my-policy.hcl
    ```
    
3. **Attach Policy to a Token**:
    
    ```sh
    vault token create -policy=my-policy
    ```
    

### Tokens

1. **Create a Token**:
    
    ```sh
    vault token create
    ```
    
2. **Revoke a Token**:
    
    ```sh
    vault token revoke <token>
    ```
    
3. **Lookup Token**:
    
    ```sh
    vault token lookup <token>
    ```
    

### Dynamic Secrets

1. **Enable Database Secrets Engine**:
    
    ```sh
    vault secrets enable database
    ```
    
2. **Configure Database Connection**:
    
    ```sh
    vault write database/config/my-database \
      plugin_name=mysql-database-plugin \
      connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \
      allowed_roles="my-role" \
      username="root" \
      password="root-password"
    ```
    
3. **Create a Role for Dynamic Secrets**:
    
    ```sh
    vault write database/roles/my-role \
      db_name=my-database \
      creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \
                          GRANT SELECT ON my-database.* TO '{{name}}'@'%';" \
      default_ttl="1h" \
      max_ttl="24h"
    ```
    
4. **Generate Dynamic Secrets**:
    
    ```sh
    vault read database/creds/my-role
    ```
    

### Auditing

1. **Enable Audit Device**:
    
    ```sh
    vault audit enable file file_path=/var/log/vault_audit.log
    ```
    
2. **List Audit Devices**:
    
    ```sh
    vault audit list
    ```
    
3. **Disable Audit Device**:
    
    ```sh
    vault audit disable <audit-path>
    ```
    

### Useful Commands

* **Help**:
    
    ```sh
    vault help
    ```
    
* **Version**:
    
    ```sh
    vault version
    ```
    
* **License**:
    
    ```sh
    vault license status
    ```
    

### Tips and Tricks

* **Environment Variables**:
    
    * Use `VAULT_ADDR` and `VAULT_TOKEN` to avoid passing parameters with every command.
        
* **Alias**:
    
    * Create command aliases for frequent tasks to speed up your workflow.
        
* **Scripting**:
    
    * Automate Vault operations using shell scripts for repetitive tasks.
        
* **Security**:
    
    * Always follow security best practices such as enabling TLS, rotating secrets, and limiting access through policies.
        

---

HashiCorp Vault is a robust tool for managing secrets and protecting sensitive data. This cheatsheet provides a quick reference to its core functionalities, helping you to leverage Vault effectively in your security and secrets management tasks.