These configurations require Terraform 0.12+!
Feature Highlights
-
Vault HA - The Vault cluster is deployed in HA mode backed by [Google Cloud Storage][gcs]
-
Production Hardened - Vault is deployed according to the production hardening guide.
-
Auto-Init and Unseal - Vault is automatically initialized and unsealed at runtime. The unseal keys are encrypted with Google Cloud KMS and stored in Google Cloud Storage
-
Full Isolation - The Vault cluster is provisioned in it’s own Kubernetes cluster in a dedicated GCP project that is provisioned dynamically at runtime. Clients connect to Vault using only the load balancer and Vault is treated as a managed external service.
-
Audit Logging - Audit logging to Stackdriver can be optionally enabled with minimal additional configuration.
STEPS
-
Download and install [Terraform][terraform].
-
Download, install, and configure the [Google Cloud SDK][sdk]. You will need to configure your default application credentials so Terraform can run. It will run against your default project, but all resources are created in the (new) project that it creates.
-
Run Terraform:
$ cd terraform/ $ terraform init $ terraform applyThis operation will take some time as it:
- Creates a new project or specify an existing project
- Enables the required services on that project
- Creates a bucket for storage
- Creates a KMS key for encryption
- Creates a service account with the most restrictive permissions to those resources
- Creates a GKE cluster with the configured service account attached
- Creates a public IP
- Generates a self-signed certificate authority (CA)
- Generates a certificate signed by that CA
- Configures Terraform to talk to Kubernetes
- Creates a Kubernetes secret with the TLS file contents
- Configures your local system to talk to the GKE cluster by getting the cluster credentials and kubernetes context
- Submits the StatefulSet and Service to the Kubernetes API
Interact with Vault
-
Install Vault on your local machine
-
Export environment variables:
Vault reads these environment variables for communication. Set Vault’s address, the CA to use for validation, and the initial root token.
# Make sure you're in the terraform/ directory # $ cd terraform/ $ export VAULT_ADDR="https://$(terraform output address)" $ export VAULT_TOKEN="$(terraform output root_token)" $ export VAULT_CAPATH="$(cd ../ && pwd)/tls/ca.pem"For example:
$ export VAULT_ADDR=https://1.1.1.1 $ export VAULT_TOKEN=xxxxtoken $ export VAULT_CAPATH=~/vault/tls/ca.pem -
Run some commands:
$ vault secrets enable -path=secret -version=2 kv $ vault kv put secret/foo a=bSample Error: You need enable the path first otherwise you will get errors like below:
$ vault kv put secret/hello foo=world Error making API request. URL: GET https://1.1.1.1/v1/sys/internal/ui/mounts/secret/hello Code: 403. Errors: preflight capability check returned 403, please ensure client's policies grant access to path "secret/hello/"Sample Usage:
$ vault secrets enable -path=secret -version=2 kv Success! Enabled the kv secrets engine at: secret/ $ vault kv put secret/hello foo=world Key Value --- ----- created_time 2020-01-14T18:41:24.952919365Z deletion_time n/a destroyed false version 1 $ vault kv get secret/hello ====== Metadata ====== Key Value --- ----- created_time 2020-01-14T18:41:24.952919365Z deletion_time n/a destroyed false version 1 === Data === Key Value --- ----- foo world
Audit Logging
Audit logging is not enabled in a default Vault installation. To enable audit
logging to [Stackdriver][stackdriver] on Google Cloud, enable the file audit
device on stdout:
$ vault audit enable file file_path=stdout
That’s it! Vault will now log all audit requests to Stackdriver. Additionally,
because the configuration uses an L4 load balancer, Vault does not need to
parse X-Forwarded-For headers to extract the client IP, as requests are
passed directly to the node.
Additional Permissions
You may wish to grant the Vault service account additional permissions. This service account is attached to the GKE nodes and will be the “default application credentials” for Vault.
To specify additional permissions, create a terraform.tfvars file with the
following:
service_account_custom_iam_roles = [
"roles/...",
]
GCP Auth Method
To use the [GCP auth method][vault-gcp-auth] with the default application credentials, the Vault server needs the following role:
roles/iam.serviceAccountKeyAdmin
Alternatively you can create and upload a dedicated service account for the GCP auth method during configuration and restrict the node-level default application credentials.
GCP Secrets Engine
To use the [GCP secrets engine][vault-gcp-secrets] with the default application credentials, the Vault server needs the following roles:
roles/iam.serviceAccountKeyAdmin
roles/iam.serviceAccountAdmin
Additionally, Vault needs the superset of any permissions it will grant. For example, if you want Vault to generate GCP access tokens with access to compute, you must also grant Vault access to compute.
Alternatively you can create and upload a dedicated service account for the GCP auth method during configuration and restrict the node-level default application credentials.
Cleaning Up
$ terraform destroy