HashiCorp Vault on AWS

Partner Solution Deployment Guide

QS

September 2022
HashiCorp & AWS Integration and Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by HashiCorp in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This Quick Start deploys HashiCorp Vault on the AWS Cloud. This guide covers the steps necessary to deploy this Quick Start.

HashiCorp Vault is a product that centrally secures, stores, and tightly controls access to tokens, passwords, certificates, encryption keys, protecting secrets and other sensitive data through a user interface (UI), a command line interface (CLI), or an HTTP application programming interface (API). Vault’s core use cases include the following:

  • Secrets management: Securely manage and deploy secrets across different environments, applications, and services.

  • Encryption and data protection: Manage encryption and keys for developers and operators across different environments, applications, and services.

  • Privileged-access management: Secure workloads for application-to-application and user-to-application credential management across different environments and services.

Vault is designed for DevOps professionals and application developers who want to manage their secrets, data, and key-value stores. It’s built using the open-source version of Vault, but it’s also compatible with Vault Enterprise.

Supplemental details, with instructions and screenshots, are available on the HashiCorp Vault and Vault Enterprise websites.

Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.

Costs and licenses

There is no cost to use this Quick Start, but you will be billed for any AWS services or resources that this Quick Start deploys. For more information, refer to the AWS Quick Start General Information Guide.

The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, affects the cost of deployment. See the pricing pages for each AWS service you use.

This Quick Start uses the open-source version of HashiCorp Vault, which does not require a license.

Architecture

Deploying this Quick Start with default parameters builds the following Vault environment in the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for Vault on AWS

As shown in Figure 1, this Quick Start sets up the following:

  • A VPC with public and private subnets across three Availability Zones.

  • An internet gateway to provide access to the internet.*

  • A certificate from the AWS Certificate Manager (ACM) Secure Sockets Layer (SSL), assuming that the supplied hosted-zone ID and DNS name are associated with the Application Load Balancer.

  • An Application Load Balancer that can either be internal or external facing.

  • In the public subnets:

    • Managed network address translation (NAT) gateways to allow outbound internet access for resources.

    • A Linux bastion host to allow inbound Secure Shell (SSH) access to Amazon Elastic Compute Cloud (Amazon EC2) instances.

  • In the private subnets:

    • Auto Scaling groups that contain three, five, or seven HashiCorp Vault server instances across three Availability Zones.

    • A HashiCorp Vault environment with a Raft storage backend. Vault uses the Raft consensus algorithm to replicate data across the cluster.

  • An AWS Secrets Manager secret that contains the root token and unseal keys created during the HashiCorp Vault cluster initialization.

  • An AWS Key Management Service (AWS KMS) key that is used to auto-unseal HashiCorp Vault as well as encrypt the AWS Secrets Manager secret.

* The template that deploys this Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Deployment options

This Quick Start provides the following deployment options:

  • Deploy Vault into a new VPC. This option builds a new AWS environment that consists of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys Vault into this new VPC.

  • Deploy Vault into an existing VPC. This option provisions Vault in your existing AWS infrastructure.

This Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Vault settings.

Predeployment steps

Specialized knowledge

Before you deploy this Quick Start, become familiar with the following AWS services. If you are new to AWS, see Getting Started with AWS.

Note: The Center for Internet Security (CIS) Amazon Machine Image (AMI) for Ubuntu Linux 16.04 LTS is available as an optional, hardened AMI type. The image of Ubuntu Linux 16.04 LTS is preconfigured by CIS according to their benchmark recommendations. For more information, see CIS Ubuntu Linux 16.04 LTS Benchmark — Level 1.

Prepare an AWS account

  1. If you don’t already have an AWS account, create one at http://aws.amazon.com by following the on-screen instructions.

  2. Use the selector in the navigation bar to choose the AWS Region where you want to deploy HashiCorp Vault on AWS.

  3. Create a key pair in your preferred Region. If necessary, request a service quota increase for the Amazon EC2 t3.medium and m5.large instance types. You might need to request an increase if you already have an existing deployment that uses this instance type, and you think you might exceed the default quota with this reference deployment.

Subscribe to CIS Ubuntu Linux 16.04 LTS

This Quick Start recommends subscribing to the AMI for CIS Ubuntu Linux 16.04 LTS Benchmark — Level 1 in AWS Marketplace.

  1. Sign in to your AWS account.

  2. Open the page for the CIS Ubuntu Linux 16.04 LTS Benchmark — Level 1 AMI in AWS Marketplace, and then choose Continue to Subscribe.

  3. Review the terms and conditions for software usage, and then choose Accept Terms. A confirmation page loads, and an email confirmation is sent to the account owner. For detailed subscription instructions, see the AWS Marketplace documentation.

  4. When the subscription process is complete, exit AWS Marketplace without further action.

Warning: Do not provision the software from AWS Marketplace. The Quick Start deploys the AMI for you.

Deployment steps

  1. Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.

  2. Choose the correct AWS Region, and then choose Next.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.
  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.

  7. Choose Create stack. The stack takes about 30 minutes / 1 hour to deploy.

  8. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the HashiCorp Vault deployment is ready.

  9. To view the created resources, choose the Outputs tab.

Postdeployment steps

Verify successful deployment

You can use the URL displayed in the Outputs tab for the stack to view the resources that were created.

output1
Figure 2. HashiCorp Vault outputs after successful deployment

Review audit logs

This Quick Start is configured to ship Vault audit logs to Amazon CloudWatch. To see your logs, open the Amazon CloudWatch console. In the navigation pane, choose Logs, and then select Vault-Audit-Logs-XXXX value from the Outputs section. You will see a screen that is similar to Figure 3.

auditlogs
Figure 3. Viewing Vault audit logs

Test the deployment

To access the Vault server cluster environment, access the Application Load Balancer endpoint that was created during the deployment.

  1. Locate the AWS Secrets Manager secret from the Outputs tab. The secret contains the Vault root token and recovery secrets for Vault.

output2
Figure 4. AWS Secrets Manager secret from the CloudFormation stack outputs
  1. Locate the Application Load Balancer endpoint address from the Outputs tab of the AWS CloudFormation console.

output3
Figure 5. Vault load balancer from CloudFormation stack outputs
  1. Use your preferred web browser to open the URL. On the Vault server login screen, use the root token from AWS Secrets Manager to log in to the Vault server cluster.

vaultlogin
Figure 6. HashiCorp Vault cluster login screen

Note: Ensure that you have network access to this address. Specifically, for internal load balancers, you must configure the VPC to allow this.

Get started with HashiCorp Vault

To integrate Vault with your environment and get started, see the Getting Started section of the HashiCorp Vault website.

Deploy Vault with a CIS Ubuntu Linux 16.04 LTS–hardened AMI

The CIS AMI for Ubuntu Linux 16.04 LTS is available as an optional, hardened AMI type. The image of Ubuntu Linux 16.04 LTS is preconfigured by CIS according to their benchmark recommendations. For more information, see CIS Ubuntu Linux 16.04 LTS Benchmark — Level 1.

Deploy Vault with Raft-integrated storage

Raft consensus algorithm is enabled by default. Using Raft as a storage backend eliminates reliance on any third-party systems, and it implements high availability, supports enterprise replication features, and provides backup/restore workflows. For more information, see the following HashiCorp pages.

Manage Vault Agent using AWS Auth method

AWS Auth method is available as an optional Auth method in the deployment wizard. The AWS Auth method provides an automated mechanism to retrieve a Vault token for IAM principals and Amazon EC2 instances. For more information, see Vault Agent with AWS.

Manage Vault Agent using Kubernetes Auth method

Kubernetes Auth method is an option in the deployment wizard. The Kubernetes Auth method can be used to authenticate with Vault using a Kubernetes service account token. For more information, see Vault Agent with Kubernetes.

Manage Vault Auto Unseal using AWS KMS

Vault Auto Unseal was developed to aid in reducing the operational complexity of keeping the master key secure. For more information, see Auto Unseal using AWS KMS.

Troubleshooting

For troubleshooting common Quick Start issues, refer to the AWS Quick Start General Information Guide and Troubleshooting CloudFormation.

Encountering a CREATE_FAILED error when launching the Quick Start

If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to No. This setting is under Advanced in the AWS CloudFormation console on the Options page. With this setting, the stack’s state is retained and the instance is left running, so you can troubleshoot the issue. (For Windows, look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Be sure to delete the stack when you finish troubleshooting.

For additional information, see Troubleshooting AWS CloudFormation on the AWS website.

Encountering a size limitation error when deploying the AWS CloudFormation templates

Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template size limitations. For more information, refer to AWS CloudFormation quotas.

Resources

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.