Time
4 hours 53 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:02
it's time to use vault in this video. We're going to start a local instance on your machine.
00:09
Get a little introduction to the concept of token authentication with vault.
00:14
Play around with some very simple commands using the command line interface as well as the http Rest interface Explorer vaults Web user interface and review important information about the command line interface as well as the rest A P I.
00:29
Before we get going, a little bit of a disclaimer were running vault locally for exploring and learning the tool. The Dev mode makes it very easy to get up and running, but it is not set up for production. There's a lot of hardening, a lot of additional configurations on a vault server you'd want to put in place before he went prime time,
00:48
and we will discuss many of those later in this course.
00:50
But for now, this is great. This is easy to get really a good understanding with a minimal amount of overhead
00:58
to begin. We're gonna take a look at the get up site for this training course because it has a lot of commands that you're gonna want toe refer to as we move along, Um, broken down into different directories for the different modules of the training course or module three. Right now, Secret storage on. We're talking about launching the death server. So
01:17
this is the first command we're going to run from the command line. So go ahead, open your terminal
01:23
and it should be loaded. It vulture being your path. We set that up in the last course and let's launch vault. It's evolved server, and then we're passing the Dev flag to do it in Devon mode. With server now running,
01:37
we want to access it and interact with it. So we're gonna open up a different tab
01:42
that will be used for our client invocation and interactions.
01:49
I'm gonna run the most simple command from vault
01:53
involved. Version just to make sure I have everything installed. This is using 131 But let's take a look and see what is the status of the server. And so when I run this command the first time, you'll notice it fails, and it's talking about https local host. Ah, loop back. You are Ellie, 2 to 0, and it's saying I'm not getting any sort of response.
02:13
If I school up
02:14
and look at the output produced when I launched the death Server. I see a variety of warnings and disclaimers, but I also see you may need to set up the following environment variable. And the reason is because this dev mode version of vault
02:30
it's not, um, running under SSL. It's not TLS, right? It's unencrypted. That's fine, because we're just doing everything locally. Obviously, in a production environment, you wouldn't want to do that. So I'm gonna go ahead. I'm gonna take the advice I'm going to set the vault addresses is a special environment variable that the vault command line looks at,
02:49
which will override
02:50
it's default assumption that you're using TLS for your interactions with vault.
02:57
Now we'll run vault status again. There it is. We're very happy and pleased to see that it is indeed initialized and things are up and running. And he also noticed that it talks about when the command failed. Http response to an https client and all this kind of stuff,
03:15
even though we were just running a command line utility
03:16
because under the covers, most of the interactions that happen with vault are done through vaults AP I exposed over http. Right? A rest a p I.
03:30
And when you're creating software programs and using other applications, that's going to be the mechanism that they interact and communicate with. Vault is over, Http. By and large, so what I want to do is run a particular curl command,
03:46
which is a curls a utility to perform http interactions so that we can take a little closer looking and remove this layer of the vault Cielo client CLI client and actually start diving into seeing
04:01
the actual internals vaults, communication protocols and in AP eyes at a lower level.
04:08
Before doing that, we need to set up a new environment variable for the route token. So another thing when vault launched on our local system in death mode, it automatically spits out this route token. And the token is the way that the client I
04:27
identifies itself and authenticates with vault,
04:30
which then allows it to be authorized to perform certain interactions. And the route token is is super user. It is the root account like you would have on any Lennox machine, So the CLI interface and was automatically set up when the devil had launched
04:48
to know
04:49
this is the route token because there's a super secret file that was created on my file system that the seal and her face looked at to identify the token. But when we're using Curl, it's not gonna know where that file is. It has no idea what vault is, so I want to just go ahead and I'm gonna export.
05:09
The vault have created an environment variable that has that token just for future use in simplicity in our few in our next and up and coming curl command. So now let's go ahead. I'm copying and pasting the curl command from the get Hub website so you don't have toe type it all in there manually.
05:28
You can t
05:30
um, let's run it and kind of see what happens. Here's the one thing to note is that I asked it to include me, the headers and beaver boasts, especially in this first time so we can understand what's going on so that the TCP client, ever extremely the Curl client, opened its TCP connection and made a connection
05:47
two on port A 2002 local host.
05:51
It issued the http get command and it's calling V one cyst host information, right? And then that one thing of note included in the request header was the vault tokens. So this X vault token, that's a header parameter that you need to include. And that's what involved looks at to identify who I am and authenticate me and and say, Yes,
06:10
I do have the rights and I do have business
06:15
giving and or rather receiving all the host information from this source of about the server. And then it goes ahead. It returns a 200 code. It's good, everything's okay and saying content type is going to be Jason and then we have the days and then we have, ah, bunch of output. It formatted in Jason. So
06:32
that's a bit messy toe look at. If you installed the Jake you
06:38
utility, particularly on Lenox, think windows that will work as well. And of course, Mac. That's nice to help get that response, which is in adjacent format, but it's kind of all bundled together and just put it in a nice little format in mechanism. So I piped it over to Jake, you
06:56
Andi here we can see this is really what the response was
07:00
when I issued the inquiry of system information.
07:04
So spend the time you want reviewing the system information output. You may find some things interesting. You may find some things not so interesting.
07:12
I'm gonna move now and we're gonna pop back over to our get up page because what I want to do is connect to this local vault server. But I want to do it through the third mechanism of interacting with Bolt, and that is the Web user interface.
07:27
So I navigate to the Web user interface and you'll notice right away. It's asking me to authenticate myself. In this particular case, there's a variety of authentication methods will get into those throughout. The training at this point token is all that's enabled. And we just talked about the route token. So what I want to do is I'm gonna paste the route token that was provided
07:46
in the vault console
07:47
when the whole process booted up over here and we got the server going so that we sign in and we are now route were the super User. We can do all sorts of activities.
08:07
Go ahead and explore the web interface as you see fit
08:11
secrets, engines, different access methods, configuring policies, which control who can do what and a few utilities you also noticed. There is a nice built in command line interface. So using the Web, you can actually perform command line commands as if you had that vault command line utility.
08:31
And the reason for this because there's
08:33
Onley so much you can do through the Web interface. Ultimately, you can do everything through the http AP I see there's a link to the http documentation that hash corpus published everything you wanted to know about that a p I
08:50
including some nice things, like the client libraries, because when you're developers are working on things, even when you're making scripts are working with danceable,
08:56
you're probably not gonna be creating curl command yourself. More often than not, you're going to be using one of these libraries that will simplify the amount of interaction parsing the Jason responses and so forth.
09:07
And then, of course, from the get hub page, we have a link to the CLI documents, which are a little more thorough and extensive than just running the dash H argument in the passing the S H argument to your command line that will provide you some output. But this documentation and reference utility is great
09:26
because we're not gonna be able to cover everything
09:28
in this training. So some of these things you're gonna want to come back to both of these resource is when you're starting to use vault in the real world
09:37
to summarize this lesson.
09:41
What did we dio? We start involved.
09:43
We learned about token authentication.
09:46
We ran some commands using both C Ally as well is interacting with the http rest ap I using the curl utility. We explored the web ap I and we took a look. A valuable resource is the reference documentation for both the cli and
10:03
the http rest a p I.

Up Next

Vault Fundamentals

Learn how HashiCorp Vault can improve your security posture when it comes to storing sensitive passwords, maintaining confidential keys, implementing encryption, and establishing robust access management.

Instructed By

Instructor Profile Image
James Leone
Cloud, IoT & DevSecOps at Abbott
Instructor