Configure and deploy vault
Using Vault on Compute Engine for Secret Management
In this lab you will learn how to use Vault with Google Cloud. Vault, an open source tool for secret management, employs a secret-sharing scheme to seal and unseal its ability to decrypt the Vault contents. It supports multiple provider backends and a variety of methods for authentication, storage, and auditing.
Deploy Vault to Compute Engine using Terraform.
Initialize and unseal Vault from keys stored in Cloud Storage.
Configure the Vault Google Cloud Auth Plugin Backend.
Create a signed JSON web token (JWT) and retrieve the Vault authentication token.
Use the Vault authentication token to read and write secrets.
Before you click the Start Lab button
Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.
This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.
What you need
To complete this lab, you need:
- Access to a standard internet browser (Chrome browser recommended).
- Time to complete the lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab.
Note: If you are using a Chrome OS device, open an Incognito window to run this lab.
How to start your lab and sign in to the Google Cloud Console
Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is a panel populated with the temporary credentials that you must use for this lab.
Copy the username, and then click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.
Tip: Open the tabs in separate windows, side-by-side.
In the Sign in page, paste the username that you copied from the left panel. Then copy and paste the password.
Important: You must use the credentials from the left panel. Do not use your Google Cloud Training credentials. If you have your own Google Cloud account, do not use it for this lab (avoids incurring charges).
Click through the subsequent pages:
- Accept the terms and conditions.
- Do not add recovery options or two-factor authentication (because this is a temporary account).
- Do not sign up for free trials.
After a few moments, the Cloud Console opens in this tab.
Activate Cloud Shell
Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.
In the Cloud Console, in the top right toolbar, click the Activate Cloud Shell button.
It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:
gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.
You can list the active account name with this command:
You can list the project ID with this command:
Task 1. Deploying Vault using Terraform
Terraform is an infrastructure automation tool used to provision the following resources:
- TLS certificates for securing the Vault API.
- The service account for the Vault Compute Engine instance.
- The Cloud Identity & Access Management (IAM) policy bindings that specify how Vault can interact with Cloud Storage, Cloud IAM, and Cloud KMS.
- The Vault instance template and startup script that are used to install Vault.
- The managed instance group for the instance template.
- The Cloud Storage bucket for the Vault storage backend.
- The Cloud Storage bucket for Vault assets like the unseal keys and TLS certificates and keys.
These resources can also be created using standard Linux tools like
openssl and the Cloud SDK or the Cloud Console. Using Terraform gives you a single tool to provision the majority of resources used in this tutorial. You can easily parameterize Terraform with variables and write infrastructure as code. Terraform also lets you preview changes using the
terraform plan command.
This lab uses the terraform-google-vault module in the example code to automate the creation of the Vault TLS keys and certificates and to store encrypted copies of them in a Cloud Storage bucket. These keys and certificates are later decrypted automatically by the Vault instance startup script.
After the instance is started, the startup script initializes Vault and stores an encrypted copy of the unseal keys and root token to a Cloud Storage bucket. You will decrypt those keys and use them to manually unseal Vault.
Task 2. Configure Vault
Configure your Cloud Shell environment to use the Vault by installing it with the appropriate package:
Verifying the Installation
After installing Terraform, verify the installation worked by checking the Vault version:
Task 3. Clone the repository
Make a local clone of the GitHub repository with the Terraform module and example code:
Change to the directory that contains the example code:
- Create the
terraform.tfvarsfile with the project ID, bucket name, and KeyRing name.
Notice that the bucket name is based on your project ID and the string vault:
Use Terraform commands to deploy Vault to Compute Engine:
- Type yes when asked if you want to continue.
Click Check my progress to verify the objective.
Task 4. Initializing Vault
Configure your local Vault binary to communicate with the Vault server:
- Wait a couple of minutes, then initialize Vault:
Now you can use Vault commands to verify it is working.
Verify Vault is initialized:
- Verify Vault is unsealed:
- Login using the Initial Root Token from the previous output:
- Seal Vault:
- Verify Vault is sealed:
- Check the following in output:
- Unseal the vault:
You need to provide recovery key(Which was created earlier) each time in order to unseal the vault.
- In this lab you have set recovery-threshold as 3 so you need to unseal the vault by using:
Provide security key when prompted.
Check the following in output:
Use same command again and provide differnet recovery key.
Check the following in output:
- Repeat the process again and you should get following in output:
This means you have successfully unsealed the Vault.
Click Check my progress to verify the objective.
Finish Your Quest
This self-paced lab is part of the Managing Cloud Infrastructure with Terraform Quest. A Quest is a series of related labs that form a learning path. Completing this Quest earns you the badge above, to recognize your achievement. You can make your badge public and link to them in your online resume or social media account. Enroll in this Quest and get immediate completion credit if you've taken this lab. See other available Qwiklabs Quests.
Take Your Next Lab
Continue your Quest with Custom Providers with Terraform, or check out these suggestions:
Next Steps / Learn More
- Join the discussion! Get questions answered in the Terraform Community.
Google Cloud Training & Certification
...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.
Manual Last Updated June 28, 2021
Lab Last Testesd June 28, 2021
Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.