Using Vault on Compute Engine for Secret Management

Join Sign in

Using Vault on Compute Engine for Secret Management

1 hour 9 Credits


Google Cloud Self-Paced Labs


In this lab you will learn how to use Vault with Google Cloud. Vault, an open source tool for secret management, employs a secret-sharing scheme to seal and unseal its ability to decrypt the Vault contents. It supports multiple provider backends and a variety of methods for authentication, storage, and auditing.

Vault on Compute Engine for Secret Management App View


  • Deploy Vault to Compute Engine using Terraform.

  • Initialize and unseal Vault from keys stored in Cloud Storage.

  • Configure the Vault Google Cloud Auth Plugin Backend.

  • Create a signed JSON web token (JWT) and retrieve the Vault authentication token.

  • Use the Vault authentication token to read and write secrets.


Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

What you need

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
  • Time to complete the lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab.

Note: If you are using a Chrome OS device, open an Incognito window to run this lab.

How to start your lab and sign in to the Google Cloud Console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is a panel populated with the temporary credentials that you must use for this lab.

    Open Google Console

  2. Copy the username, and then click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

    Sign in

    Tip: Open the tabs in separate windows, side-by-side.

  3. In the Sign in page, paste the username that you copied from the left panel. Then copy and paste the password.

    Important: You must use the credentials from the left panel. Do not use your Google Cloud Training credentials. If you have your own Google Cloud account, do not use it for this lab (avoids incurring charges).

  4. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Activate Cloud Shell

Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.

In the Cloud Console, in the top right toolbar, click the Activate Cloud Shell button.

Cloud Shell icon

Click Continue.


It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:

Cloud Shell Terminal

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

You can list the active account name with this command:

gcloud auth list


Credentialed accounts: - <myaccount>@<mydomain>.com (active)

(Example output)

Credentialed accounts: -

You can list the project ID with this command:

gcloud config list project


[core] project = <project_ID>

(Example output)

[core] project = qwiklabs-gcp-44776a13dea667a6

Task 1. Deploying Vault using Terraform

Terraform is an infrastructure automation tool used to provision the following resources:

  • TLS certificates for securing the Vault API.
  • The service account for the Vault Compute Engine instance.
  • The Cloud Identity & Access Management (IAM) policy bindings that specify how Vault can interact with Cloud Storage, Cloud IAM, and Cloud KMS.
  • The Vault instance template and startup script that are used to install Vault.
  • The managed instance group for the instance template.
  • The Cloud Storage bucket for the Vault storage backend.
  • The Cloud Storage bucket for Vault assets like the unseal keys and TLS certificates and keys.

These resources can also be created using standard Linux tools like openssl and the Cloud SDK or the Cloud Console. Using Terraform gives you a single tool to provision the majority of resources used in this tutorial. You can easily parameterize Terraform with variables and write infrastructure as code. Terraform also lets you preview changes using the terraform plan command.

This lab uses the terraform-google-vault module in the example code to automate the creation of the Vault TLS keys and certificates and to store encrypted copies of them in a Cloud Storage bucket. These keys and certificates are later decrypted automatically by the Vault instance startup script.

After the instance is started, the startup script initializes Vault and stores an encrypted copy of the unseal keys and root token to a Cloud Storage bucket. You will decrypt those keys and use them to manually unseal Vault.

Task 2. Configure Vault

  1. Configure your Cloud Shell environment to use the Vault by installing it with the appropriate package:

curl -fsSL | sudo apt-key add - sudo apt-add-repository "deb [arch=amd64] $(lsb_release -cs) main" sudo apt-get update && sudo apt-get install vault

Verifying the Installation

  1. After installing Terraform, verify the installation worked by checking the Vault version:

vault version

Task 3. Clone the repository

  1. Make a local clone of the GitHub repository with the Terraform module and example code:

curl -o unzip
  1. Change to the directory that contains the example code:

cd terraform-google-vault-5.3.0
  1. Create the terraform.tfvars file with the project ID, bucket name, and KeyRing name.

Notice that the bucket name is based on your project ID and the string vault:

export GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project) cat - > terraform.tfvars <<EOF project_id = "${GOOGLE_CLOUD_PROJECT}" kms_keyring = "vault" kms_crypto_key = "vault-init" EOF
  1. Use Terraform commands to deploy Vault to Compute Engine:

terraform init terraform plan terraform apply
  1. Type yes when asked if you want to continue.

Click Check my progress to verify the objective. Configure and deploy vault

Task 4. Initializing Vault

  1. Configure your local Vault binary to communicate with the Vault server:

export VAULT_ADDR="$(terraform output vault_addr)" export VAULT_ADDR=${VAULT_ADDR:1:-1} export VAULT_CACERT="$(pwd)/ca.crt"
  1. Wait a couple of minutes, then initialize Vault:
vault operator init \ -recovery-shares 5 \ -recovery-threshold 3

Example Output:

Recovery Key 1: jtG+M7SorHPPmmj4XcXM0/fWkxjR11CNWpQiKvsfUdh/ Recovery Key 2: GaDBH1ZBNZawNCMyQbxdipll9njvBMX3wLVEjEDRvOCU Recovery Key 3: oIHjeX4s5JH81j5hVRT6pfjEkDQWU+IazznZvnUTUeCo Recovery Key 4: WPIx+hOquAOrFQBeM8TtrFroPlKVkVvL5KPwlF40eUDP Recovery Key 5: v2f8FR2saKoCjk8FVMJ4OWcTbJRmtisleGoLyvytmtYR Initial Root Token: s.PBG7pQ0wpOiQ9Fo3jktt6A0X Success! Vault is initialized

Now you can use Vault commands to verify it is working.

  1. Verify Vault is initialized:

vault operator init -status

sample output:

Vault is initialized
  1. Verify Vault is unsealed:
vault status

sample output:

Key Value --- ----- Recovery Seal Type shamir Initialized true Sealed false Total Recovery Shares 5 Threshold 3 Version 1.0.3 Cluster Name vault-cluster-599d5704 Cluster ID 18910639-3d03-cdfb-a827-4e887c9e882a HA Enabled true HA Cluster HA Mode active
  1. Login using the Initial Root Token from the previous output:
vault login

sample output:

Token (will be hidden): Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value --- ----- token s.3XQa7ZS7nm0Ik9uDcPixSBA6 token_accessor 9CAFf3UNogc0DK9vOzLRgXHy token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"]
  1. Seal Vault:
vault operator seal

sample output:

Success! Vault is sealed.
  1. Verify Vault is sealed:
vault status

Sample Output:

Key Value --- ----- Recovery Seal Type shamir Initialized true Sealed true Total Recovery Shares 5 Threshold 3 Unseal Progress 0/3 Unseal Nonce n/a Version 1.0.3 HA Enabled true
  1. Check the following in output:
Sealed true
  1. Unseal the vault:

You need to provide recovery key(Which was created earlier) each time in order to unseal the vault.

  1. In this lab you have set recovery-threshold as 3 so you need to unseal the vault by using:
vault operator unseal
  1. Provide security key when prompted.

  2. Check the following in output:

Unseal Progress 1/3
  1. Use same command again and provide differnet recovery key.

  2. Check the following in output:

Unseal Progress 2/3
  1. Repeat the process again and you should get following in output:
Sealed false

This means you have successfully unsealed the Vault.

Click Check my progress to verify the objective. Initializing vault


Terraform quest badge

Finish Your Quest

This self-paced lab is part of the Managing Cloud Infrastructure with Terraform Quest. A Quest is a series of related labs that form a learning path. Completing this Quest earns you the badge above, to recognize your achievement. You can make your badge public and link to them in your online resume or social media account. Enroll in this Quest and get immediate completion credit if you've taken this lab. See other available Qwiklabs Quests.

Take Your Next Lab

Continue your Quest with Custom Providers with Terraform, or check out these suggestions:

Next Steps / Learn More

Google Cloud Training & Certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated June 28, 2021
Lab Last Testesd June 28, 2021

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.