Free course: Deploying HashiCorp Vault with AWS Secrets Engine

Deploying HashiCorp Vault with AWS Secrets Engine

I am providing my course, Deploying HashiCorp Vault with AWS Secrets Engine for no charge - available on YouTube. I’ll keep this page updated with additional material and update the videos on YouTube as needed.

Introduction

In this lecture, we will cover the course content and the benefits of using HashiCorp Vault with the AWS secrets engine integration.

Resources

• Slidedeck

Terminology and scope of deployment

In this lecture we’ll cover the terminology used in the remainder of the course. Also, we will cover what the actual deployment will look like once completed.

Resources

• Slidedeck
• Vault Topology

Set up the AWS environment

In this lecture, you will be provisioning the AWS resources needed to support the Vault environment. All steps are provided including the downloadable materials which need to be used. Please view Lecture 9 for a walk-through of deploying the 2 Availability Zone VPC using CloudFormation if needed.

Resources

• Slidedeck
• EC2 UserData (Bootstrap)

Deploying a 2 availability zone VPC with CloudFormation

A brief walk-through of deploying the 2AZ in VPC using CloudFormation in the AWS console.

Resources

• https://github.com/troydieter/cloud-automation

Set up HashiCorp Vault on AWS

In this lecture, we will create the needed Route53 record set to point to the alias Elastic Load Balancer. We will also initialize and unseal the Vault. An example of the payload.json mentioned in the video is in the Downloadable Materials section.

Resources

• Slidedeck
• Vault Config
• Vault Unseal
• Payload

AWS Secrets Engine Configuration

In this lecture, you will enable the AWS secrets engine and create a new role for a Data Scientist. You will also generate token based, temporary access key & secret access keys using this new role!

Resources

• Slidedeck

AppRole and additional methods

Various authentication methods (including user\pass, LDAP (including AD), token-based, key-value) are available to extend the abilities of Vault. Browse to the below external resource to view Vault’s official documentation on extending Vault’s capabilities to include additional authentication methods.

Resources

• Slidedeck

Vault Credential Rotator Tool

This lecture will cover a walk-through of using vault-credential-rotator (https://github.com/troydieter/vault-credential-rotator) which allows for:

• Easy vault key rotation stored in your AWS credential store

• Supported in Windows, Linux & MacOS

• Supports LDAP authentication method

Resources

• GitHub: Vault Credential Rotator

Generating AppRole authentication credentials to be used with AWS secrets engine

This lecture will cover the use of the AppRole authentication method, and how to generate the required credentials to distribute. The script referenced in the lecture is provided here as well (approle.py). Ensure the values are changed accordingly, which are demonstrated in the lecture video.

Resources

• Approle.py

Bonus: Set up HashiCorp Vault using a Helm chart in Kubernetes

In this lecture, we’ll briefly cover the deployment of HashiCorp Vault using a Helm Chart to a Kubernetes cluster. Feel free to follow Lecture 5 & 6 to configure the AWS secrets engine after deploying via Helm.

Resources

• Helm Configuration Values