- A server with at least 2GB RAM and 2 CPUs.
- OS: Ubuntu, CentOS, or another Linux distribution.
- Open ports: 8200 (Vault HTTP API) and 8201 (Cluster communication).
-
Download Vault binary:
curl -fsSL https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list sudo apt update && sudo apt install vault -y
-
Verify Installation:
vault --version
-
Enable Vault as a Service (Optional): Create a file
/etc/vault.d/vault.hclwith basic configuration:storage "file" { path = "/opt/vault/data" } listener "tcp" { address = "0.0.0.0:8200" tls_disable = 1 } ui = true
Enable and start the Vault service:
sudo systemctl enable vault sudo systemctl start vault
-
Initialize Vault:
vault operator init
- Vault generates 5 unseal keys and a root token.
- Save these securely.
-
Unseal Vault: Use three of the five unseal keys to unseal Vault:
vault operator unseal <UNSEAL_KEY_1> vault operator unseal <UNSEAL_KEY_2> vault operator unseal <UNSEAL_KEY_3>
-
Log in to Vault: Use the root token to log in:
vault login <ROOT_TOKEN>
-
Enable KV Secrets Engine (v2):
vault secrets enable -path=secret kv-v2 -
Verify Secrets Engine:
vault secrets list
-
Add a Secret: Store AWS credentials as an example:
vault kv put secret/aws access_key_id=AKIA1234 secret_access_key=abcd1234xyz
-
View the Secret:
vault kv get secret/aws
-
Enable AppRole Authentication:
vault auth enable approle -
Create a Policy for Access: Create a policy file, e.g.,
aws-policy.hcl:path "secret/data/aws" { capabilities = ["read"] }
Apply the policy:
vault policy write aws-policy aws-policy.hcl
-
Create an AppRole:
vault write auth/approle/role/cicd-role \ token_policies="aws-policy" \ secret_id_ttl=24h \ token_ttl=1h \ token_max_ttl=4h -
Retrieve Role ID and Secret ID:
-
Fetch the Role ID:
vault read auth/approle/role/cicd-role/role-id -
Generate a Secret ID:
vault write -f auth/approle/role/cicd-role/secret-id
-
-
Test AppRole Authentication:
-
Use the Role ID and Secret ID to authenticate:
vault write auth/approle/login role_id="<ROLE_ID>" secret_id="<SECRET_ID>"
-
Vault will return a token. Use it for accessing secrets.
-
-
Install HashiCorp Vault Plugin in Jenkins:
- Go to Jenkins Dashboard > Manage Jenkins > Plugins > Install "HashiCorp Vault" and "HashiCorp Vault Pipeline" plugins.
-
Add Vault Configuration in Jenkins:
- Go to Jenkins Dashboard > Manage Jenkins > Configure System.
- Add Vault server URL and authentication method (e.g., AppRole).
-
Jenkins Pipeline Script to Fetch Secrets: Use the
withVaultstep to retrieve secrets dynamically.Example Jenkins Pipeline Code:
pipeline { agent any environment { VAULT_ADDR = 'http://<VAULT_SERVER>:8200' } stages { stage('Fetch Secrets') { steps { withVault([vaultSecrets: [ [path: 'secret/aws', secretValues: [ [envVar: 'AWS_ACCESS_KEY_ID', vaultKey: 'access_key_id'], [envVar: 'AWS_SECRET_ACCESS_KEY', vaultKey: 'secret_access_key'] ]] ]]) { sh 'echo AWS Access Key: $AWS_ACCESS_KEY_ID' } } } } }
-
Restrict Unseal Key Access: Use tools like AWS KMS or HSM to store unseal keys securely.
-
Enable Audit Logs:
vault audit enable file file_path=/var/log/vault_audit.log -
Rotate Secrets: Periodically rotate secrets for added security.
By following these steps, you can set up HashiCorp Vault, securely store secrets, configure authentication, and integrate it seamlessly into a Jenkins CI/CD pipeline. This ensures secrets are dynamically fetched, securely managed, and never hardcoded into your pipeline scripts.