Select Page

HA cluster Vault with Consul on AWS

In this article, we’ll deploy Vault with Consul as store backend on AWS. Vault using as manager of your secrets (passwords, tokens, secret data). Also, Vault provides a secret way to store and use this data. Consul used as service to distributed store data.

For AWS we just need to start 4 EC2 instances. 1 Vault node and 3 Consul nodes. We need 3 Consul nodes for a quorum. Let’s first configure Consul. What is Quorum? Go to https://en.wikipedia.org/wiki/Quorum

Check ansible repository and do it by few clicks: https://github.com/KotHit/vault-consul-ansible-aws
Next commands should be executed on all three Consul nodes:
Step 1: Download Consul
wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
Step 2: Unarchive downloaded files and remove old files
unzip consul_1.5.0_linux_amd64.zip 
cp consul /usr/local/bin/
rm -rf consul_1.5.0_linux_amd.zip
Step 3: Create two directories for Consul
sudo mkdir -p /etc/consul.d/scripts
sudo mkdir /var/consul
#4 step should be executed only on one Consul node
Step 4: Initialize Consul
consul keygen
Step 5: Create configuration files on Consul nodes
sudo vi /etc/consul.d/config.json

{
"bootstrap_expect": 3,
"client_addr": "0.0.0.0",
"datacenter": "Us-Central",
"data_dir": "/var/consul",
"domain": "consul",
"enable_script_checks": true,
"dns_config": {
"enable_truncate": true,
"only_passing": true
},
"enable_syslog": true,
"encrypt": "goplCZgdmOFMZ2Q43To0jw==",
"leave_on_terminate": true,
"log_level": "INFO",
"rejoin_after_leave": true,
"server": true,
"start_join": [
"10.128.0.2",
"10.128.0.3",
"10.128.0.4"
],
"ui": true
}
Create a consul service
sudo vi /etc/systemd/system/consul.service
sudo systemctl daemon-reload
Start Consul
sudo systemctl start consul
sudo systemctl status consul
consul members
[ec2-user@ip-10-0-1-206 ~]$ consul members
Node                                          Address           Status  Type    Build  Protocol  DC          Segment
ip-10-0-1-136.eu-central-1.compute.internal   10.0.1.136:8301   alive   server  1.2.0  2         us-central  
ip-10-0-1-206.eu-central-1.compute.internal   10.0.1.206:8301   alive   server  1.2.0  2         us-central  
ip-10-0-10-165.eu-central-1.compute.internal  10.0.10.165:8301  alive   server  1.2.0  2         us-central  
ip-10-0-10-235.eu-central-1.compute.internal  10.0.10.235:8301  alive   client  1.2.0  2         us-central   
Consul UI
Consul UI

Vault configuration

Step 1: Download Consul
wget https://releases.hashicorp.com/vault/1.1.1/vault_1.1.1_linux_amd64.zip
Step 2: Unzip the archive and add to the user path
unzip vault_1.1.1_linux_amd64.zip
cp vault /usr/bin/
rm -rf vault_1.1.1_linux_amd64.zip
Step 3: Create a Vault server config file
mkdir /etc/vault
listener "tcp" {
  address          = "0.0.0.0:8200"
  cluster_address  = "{vault_ip_address}:8201"
  tls_disable      = "true"
}

storage "consul" {
  address = "127.0.0.1:8500"
  path    = "vault/"
}

api_addr = "http://{vault_ip_address}:8200"
cluster_addr = "http://{vault_ip_address}:8201"
ui = true 
Step 4: Create a Vault service file
sudo vim /etc/systemd/system/vault.service

[Unit]
Description=Vault secret management tool
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/vault server -config=/etc/vault/vault_server.hcl -log-level=debug
TimeoutStartSec=0

[Install]
WantedBy=multi-user.target 
Step 5: Start Service with Vault
sudo systemctl daemon-reload
sudo systemctl start vault 

You successfully installed Vault. So now log in to Vault node and execute next commands:

export VAULT_ADDR=http://{vault_ip_address}:8200
vault operator init
export VAULT_TOKEN={vault_token}

After that, you can check Vault UI and unseal Vault. Go to http://{vault_ip}:8200
You should remember secret keys and vault token. It’ll be needed for Unsealing Vault.