HashiCorp Vault 1.17.2 with Yandex KMS support

HashiCorp Vault is an open source tool for securely storing and accessing secrets (for example, passwords, certificates, and tokens). The image contains a pre-installed build of HashiCorp Vault with added support for Auto Unseal via Yandex Key Management Service. The build is based on HashiCorp Vault 1.17.2.

1. Create a service account, which is required for HashiCorp Vault:

   yc iam service-account create --name vault-kms
   

2. Create an authorized key for the service account and save it to the file authorized-key.json:

   yc iam key create \
      --service-account-name vault-kms \
      --output authorized-key.json
   

3. Create a Yandex Key Management Service key:

   yc kms symmetric-key create \
      --name example-key \
      --default-algorithm aes-256 \
      --rotation-period 24h
   

   Save the key ID (id). You will need it when installing the application.

4. Assign the service account the kms.keys.encrypterDecrypter role for the Yandex Key Management Service key:

   yc kms symmetric-key add-access-binding \
      --name example-key \
      --service-account-name vault-kms \
      --role kms.keys.encrypterDecrypter
   

5. Configure the application:

   • Namespace: Select a namespace or create a new one.
   • Application name: Enter an application name.
   • Service account key: Copy the contents of the authorized-key.json file to this field.
   • KMS key ID: Specify the ID of the Yandex Key Management Service key that you got earlier.

6. Click Install.

7. Make sure that the application switched to Running and has 0/1 ready pods:

   kubectl get pods --selector='app.kubernetes.io/name=vault'
   

   Expected output:

   NAME                READY   STATUS    RESTARTS   AGE
   <vault pod name>    0/1     Running   0          58s
   

8. Initialize the vault:

   kubectl exec --stdin=true --tty=true <vault pod name> -- vault operator init
   

   Expected output:

   Recovery Key 1: ulbugw4IKttmCCPprF6JwmUCyx1YfieCQPQiI2S0VV9o
   Recovery Key 2: S0kcValC6qSfEI4WJBovSbJWZntBUwtTrtisSIcS3n0e
   Recovery Key 3: t44ZRqbzLZNzfChinZNzLCNnwvFN/R52vbDq/UueHPPg
   Recovery Key 4: af4PRlm3VdXRzEHoDpYEnSgbwj4oc4zLCwkJG36cOUER
   Recovery Key 5: rw9LXcyGEhoO4y4O5IA32IwiDS2t76zd52eiVqfpu+b6
   
   Initial Root Token: s.4ddyD9kkIKVrslVBQBX1I5Pq
   
   Success! Vault is initialized
   
   Recovery key initialized with 5 key shares and a key threshold of 3. Please
   securely distribute the key shares printed above.
   

   Don’t run the unseal operation when initializing the vault. For more information, see Auto Unseal and the HashiCorp Vault documentation.

9. Query the list of application pods again and make sure that one pod is ready:

   kubectl get pods --selector='app.kubernetes.io/name=vault'
   

   Expected output:

   NAME                READY   STATUS    RESTARTS   AGE
   vault-yckms-k8s-0   1/1     Running   0          1h
   

• Secure secrets storage.
• Managing access to secrets.

Yandex Cloud technical support is available 24/7 to respond to requests. The types of requests available and their response time depend on your pricing plan. You can activate paid support in the management console. Learn more about requesting technical support. You can also get help from the community.