[Vault] Setup Vault auto-unseal configuration with Azure key-vault
As you may know, Hashicorp Vault is a secret management service with lots of other convenient functions. However, the initialization process to unseal each Vault server is quite trivial. Hashicorp provides a way to auto-unseal and store your seal credential on cloud storage. In this post, I’m gonna walk through the process to setup Vault auto-unseal configuration with Azure key-vault.
Prerequisite
You need to have the following resources:
- Vault cluster
- Azure key-vault with a key for Vault
- A Azure service principal that is able to access Azure key-vault.
Steps
After installing Vault and setting up all the configurations, you should have an uninitialized Vault cluster. Then add the following configuration in your Vault configuration file. The configuration values can be retrieved from Azure portal or Azure cli. You can do it manually or use configuration management tool.
"seal": {
"azurekeyvault": {
"tenant_id": ${your Azure tenant ID},
"client_id": ${your service principal app ID},
"client_secret": ${your service principal secret},
"vault_name": ${Azure key-vault name},
"key_name": ${Azure key-vault key name}
}
}After the auto-unseal configuration is added to all servers, you can choose one of you Vault server and type vault init. If the configuration is right, you will see all your Vault servers become unsealed automatically. Then you can restart Vault to check if it will auto-unseal itself.
That’s all. If you want to know more detail, feel free to discuss with me in comment.
Reference:
https://learn.hashicorp.com/vault/operations/autounseal-azure-keyvault
