Time
4 hours 53 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:04
Welcome back to the vault fundamentals. We've been working with dynamic secrets and getting them in action. We just completed doing A W s Secrets engine and seeing how that actually creates a W s accounts itself, which can then subsequently
00:20
interact with the management plane of eight of us too
00:24
provisioning and manage different cloud resource is in eight of us in this one. We're going to start talking about the database secrets engine and see how that performs a similar role except instead of the cloud plane is going to be doing it for database accounts, accounts within the particular database.
00:41
And we're going to use mongo db in our lab example.
00:45
So for the rest of this video, we're going to take care of certain set up activities of in preparation for the lab, which will be taking place in the next video. Specifically, we're gonna create in a boon to Lennox server on AWS. Don't worry if you don't have experience with AWS, but it is important that you do have the AWS
01:03
free trial account.
01:04
We're gonna install mongo db on that server. We're gonna configure it appropriately, create an admin account, and then we're gonna set up some other methods around mongo db to enable authentication and support connections from remote machines.
01:23
You're gonna go ahead and log into your AWS account. We're gonna first navigate into the EEC to area of AWS
01:30
in the get hub materials for this course. I've specified a specific am I on Amazon machine image. I want to go ahead and create an easy to server, and we're going to use that particular image just to prevent any potential confusion that could arise if you're using a different version of a boon to or the images
01:49
set up a little bit differently.
01:52
And so what you could do is go ahead and paste the AM I into the search and you're gonna come up with something that looks very similar to this. Let's go ahead and initiate the launch process. We're going to use the wizard here, and I'll walk through that pretty quickly. By and large, we're keeping with the default settings.
02:08
So we're going to go with the free tier T to micro size server that selected by default
02:15
What? Excuse me? There's a few other things we're also gonna wanna set up in preparation for this importantly, we're not going to change anything regarding the virtual network that the servers deployed to. However, we do want to set up some security rules that will allow us to access this virtual machine.
02:32
So of course, we're gonna need to be able to ssh into this machine.
02:37
And then we're also going to set up a rule that will allow us to remotely connect to this machine from our own local vault death server.
02:46
And we were going to do these connection on port to 7017 and we're not going to do a ton in terms of security. But just so we don't expose this to entire world, go ahead and use the source for these rules to be my i P. And this will
03:04
set up things so that the Amazon, from its public endpoint Onley, allows access to the server
03:10
from your I P address and specifically performing the Ssh operations and the Mongo DB connections, which take place over port to 7017
03:21
Once you've made those adjustments, let's go ahead and launch the new server.
03:28
And finally, let's create a new key pair. This is what you're going to use when you ssh end in the machine and let's just call it Mongo. And of course, it's very important to download this key pair. We're gonna copy this into our ah locations in a little bit
03:45
and go ahead and fire off the launch. Instance.
03:49
It may take a few minutes for the AWS instance to get launched. Go ahead and monitor its progress on your instance. Consul. Sure enough, in this case, it is up and running. So let's hop over to our consul. First thing I want to do is I wanna take a copy of that pem file those keys that we generated
04:08
when setting up and launching off this new instance,
04:12
and I'm gonna bring that into my current working directory. In my situation, I did a downloaded automatically downloaded the pen file into my downloads directory, and I'm going to copy this into, um, the direct working directory here because we're gonna need to reference that when we're performing the ssh operations.
04:30
So let's go ahead and move that
04:32
and hopping back over to AWS. We can actually get some good instructions on how to connect to the server, which is up and running. Keeping in mind is just a simple Mobutu Lennix server. At this point, they talk about using putty. Whatever ssh client you have installed on your own machine. We have downloaded the Mongol drop em.
04:50
But then you could see there's some additional steps that we need to take in in our environments to make sure the permissions air set correctly on the pen file.
05:00
So I'm gonna toggle back, and I'm gonna go ahead and set the permissions correctly there. And then finally, we're going to run this ssh command toe access and log into the sites with the server through the public I p address. In fact, in this case, we've been dynamically generated a fully qualified domain name.
05:17
It doesn't really matter if your server is in different Amazon region than the West one.
05:23
This should all work similarly,
05:27
so let's go ahead and ssh into the machine.
05:30
We're going to just accept it at face value that indeed the server is who it says it is.
05:36
And now we're into the machine.
05:39
Setting up mongo db on the boon to server's gonna be a pretty simple process because we're gonna use the apt package manager The first thing I'm gonna go ahead and do is just run an apt update to update all the different packages that reside on this particular and boom to server.
05:56
And when that's complete, we're gonna go ahead and run another app to tip. We're going to run the install command. We're gonna
06:03
skip the prompting by using a dash what I flag, and we're going to install the mongo DB package
06:11
once that installed process completes. Let's go ahead and just see is mongo db up and running successfully by running the system CTL status and checking out the Mongo DB system process. And here we can see in green, active and running. So that's great. That's where we want to be.
06:29
The few additional things we need to do to get our mongo DB set up on allowing for the right connective ity. First thing we're gonna do here is actually create an admin account. So I'm gonna use the mongo command, which brings me to the shell and connects me to the Mongol database. Then we're gonna
06:44
log into the admin portion of the database. In fact, even though show DBS
06:49
and see, there's really not a lot going on here.
06:53
Now that we're in the admin database, let's go ahead and show users and sure enough, there no users. So we're going to create a user. We're gonna create the admin user, and this is the user account that vault is going to connect to mongo DB with
07:09
so in the get up, I have this command pre pasted for you,
07:14
and what you can see is we're creating the account. It's called admin. You can see the passwords written out there, and the important port is that it has a role, that role being user admin for any database. And that's going to give this particular account that necessary permissions to create
07:29
different accounts itself and assign them to different administrator databases as well as create policies.
07:34
And these are things that vaults gonna need the ability to dio,
07:40
and we have success there.
07:42
And finally, let's go ahead and using pseudo, we're gonna edit the mongo db com file. If you don't know the I, you can spend a few seconds navigating that. If there's another text editor that you prefer to use in the UNIX environment, by all means, go ahead and edit this com file
08:01
using that editor
08:03
Important thing is this con file. It set up with permissions that does require it be edited by the root user.
08:09
We want to do two things with this properties found. One is we want to add to the bind i p the i. P address of this server so that the mongo db will not just listen to requests coming from local host system, but also requests coming from external.
08:26
In this case, the external is not gonna be the public i p off the server, rather is gonna be the internal i p the private I p of the server. And then AWS is doing the then adding and the routing of requests from that public p
08:41
and sending them over to this private I pee on the particular ports that we did during the initial instance set up process.
08:48
So I'm gonna copy that Private I p over here, and I'm going to paste that into the configuration file. It's important to note we don't want to space between the Kama and the second I p address or that's gonna create some parsing airs when mongo DB starts up and then I'm gonna navigate down and enable a property called off equals true.
09:07
And what this is telling
09:09
mongo DB is that it needs to be authenticating users when incoming connections happen.
09:16
And so, with the configuration file updated, we need to go ahead and restart a mongo DB process for those changes to take effect. Let's go ahead and run system CTL restart mongo DB,
09:30
and we can check on the status
09:33
once again. And sure enough, it's up and running. And just to do a little final test, let's run the Mongo shell from a log in his admin.
09:41
It's gonna probably for a password on and authentication data base his admin. So what? This is selling, as I want toe initiate a mongo shell as the user admin authenticated against the admin database.
09:58
Okay,
10:03
so DVDs we have the admin
10:07
database and then a local database,
10:15
then in order to accurately list all the users because the database named Admin is what we're using as their source for authentication. I need to use admin, switch into that database, and then I run the show users command, and here we can see the user i d admin admin, which is a user account we love into.
10:33
And more importantly, that's the only account that exists in Mongo DB. At this point in time,
10:37
let's go ahead and exit, and that wraps up the set up process. If you're gonna proceed straight into the next video, keep this ssh terminal session open because we're gonna be performing commands both on the A boon to server and on our local machine.

Up Next

Vault Fundamentals

Learn how HashiCorp Vault can improve your security posture when it comes to storing sensitive passwords, maintaining confidential keys, implementing encryption, and establishing robust access management.

Instructed By

Instructor Profile Image
James Leone
Cloud, IoT & DevSecOps at Abbott
Instructor