Amazon EC2
aws ec2 run-instances
--image-id ami-12345678
--instance-type t3.micro
--user-data file://script.yamlVault Secrets Management
Sets up HashiCorp Vault for secrets and credential management
Script Author
Rowan de Haas
Script Author
Script Details
Created 8 months ago
Size 3 KB
Tags
Script Content
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#cloud-config
package_update: true
package_upgrade: true
packages:
- wget
- unzip
- jq
users:
- name: vault
system: true
shell: /bin/false
home: /opt/vault
write_files:
- path: /etc/vault.d/vault.hcl
content: |
ui = true
storage "file" {
path = "/opt/vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
permissions: '0640'
owner: vault:vault
- path: /etc/systemd/system/vault.service
content: |
[Unit]
Description=Vault
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
Type=notify
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target
runcmd:
# Download and install Vault
- cd /tmp
- wget https://releases.hashicorp.com/vault/1.15.0/vault_1.15.0_linux_amd64.zip
- unzip vault_1.15.0_linux_amd64.zip
- mv vault /usr/local/bin/
- chmod +x /usr/local/bin/vault
# Create directories
- mkdir -p /opt/vault/data
- mkdir -p /etc/vault.d
- chown -R vault:vault /opt/vault /etc/vault.d
# Set capabilities
- setcap cap_ipc_lock=+ep /usr/local/bin/vault
# Enable and start Vault
- systemctl enable vault
- systemctl start vault
# Configure firewall
- ufw allow 8200/tcp
- sleep 10
# Initialize Vault (manual step required)
- echo "Run 'vault operator init' to initialize Vault"How to Use This Script
Cloud Provider Examples
DigitalOcean
doctl compute droplet create
--image ubuntu-22-04-x64
--size s-1vcpu-1gb
--user-data-file script.yaml
my-dropletGoogle Cloud
gcloud compute instances create
my-instance
--metadata-from-file
user-data=script.yaml