Here are the detailed steps for each of these steps:
To create an AWS EC2 instance with Ubuntu, you can use the AWS Management Console or the AWS CLI. Here are the steps involved in creating an EC2 instance using the AWS Management Console:
- Go to the AWS Management Console and navigate to the EC2 service.
- Click on the Launch Instance button.
- Select the Ubuntu Server xx.xx LTS AMI.
- Select the instance type that you want to use.
- Configure the instance settings.
- Click on the Launch button.
To install Vault on the EC2 instance, you can use the following steps:
Install gpg
sudo apt update && sudo apt install gpg
Download the signing key to a new keyring
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
Verify the key's fingerprint
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
Add the HashiCorp repo
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update
Finally, Install Vault
sudo apt install vault
To start Vault, you can use the following command:
vault server -dev -dev-listen-address="0.0.0.0:8200"
Detailed steps to enable and configure AppRole authentication in HashiCorp Vault:
- Enable AppRole Authentication:
To enable the AppRole authentication method in Vault, you need to use the Vault CLI or the Vault HTTP API.
Using Vault CLI:
Run the following command to enable the AppRole authentication method:
vault auth enable approleThis command tells Vault to enable the AppRole authentication method.
- Create an AppRole:
We need to create policy first,
vault policy write terraform - <<EOF
path "*" {
capabilities = ["list", "read"]
}
path "secrets/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "kv/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "auth/token/create" {
capabilities = ["create", "read", "update", "list"]
}
EOF
Now you'll need to create an AppRole with appropriate policies and configure its authentication settings. Here are the steps to create an AppRole:
a. Create the AppRole:
vault write auth/approle/role/terraform \
secret_id_ttl=10m \
token_num_uses=10 \
token_ttl=20m \
token_max_ttl=30m \
secret_id_num_uses=40 \
token_policies=terraform- Generate Role ID and Secret ID:
After creating the AppRole, you need to generate a Role ID and Secret ID pair. The Role ID is a static identifier, while the Secret ID is a dynamic credential.
a. Generate Role ID:
You can retrieve the Role ID using the Vault CLI:
vault read auth/approle/role/my-approle/role-idSave the Role ID for use in your Terraform configuration.
b. Generate Secret ID:
To generate a Secret ID, you can use the following command:
vault write -f auth/approle/role/my-approle/secret-idThis command generates a Secret ID and provides it in the response. Save the Secret ID securely, as it will be used for Terraform authentication.