Published on

Setup Hashicorp Vault Server on Docker and a Getting Started CLI Guide


Vault is one of Hashicorp's awesome services, which enables you to centrally store, access and distribute dynamic secrets such as tokens, passwords, certificates and encryption keys.

What will we be doing today

We will setup a Vault Server on Docker and demonstrate a getting started guide with the Vault CLI to Initialize the Vault, Create / Use and Manage Secrets.

For related posts:

Setting up the Vault Server

Create the directory structure:

$ touch docker-compose.yml
$ mkdir -p volumes/{config,file,logs}

Populate the vault config vault.json. (As you can see the config is local, in the next couple of posts, I will show how to persist this config to Amazon S3)

$ cat > volumes/config/vault.json << EOF
  "backend": {
    "file": {
      "path": "/vault/file"
  "listener": {
      "address": "",
      "tls_disable": 1
  "ui": true

Populate the docker-compose.yml:

$ cat > docker-compose.yml << EOF
version: '2'
    image: vault
    container_name: vault
      - "8200:8200"
    restart: always
      - ./volumes/logs:/vault/logs
      - ./volumes/file:/vault/file
      - ./volumes/config:/vault/config
      - IPC_LOCK
    entrypoint: vault server -config=/vault/config/vault.json

Start the Vault Server:

$ docker-compose up

The UI is available at http://localhost:8200/ui and the api at http://localhost:8200

Interacting with the Vault CLI

I will demonstrate how to use the Vault CLI to interact with Vault. Let's start by installing the vault cli tools, I am using mac, so I will be using brew:

$ brew install vault

Set environment variables:

$ export VAULT_ADDR=''

Initialize the Vault Cluster:

Initialize new vault cluster with 6 key shares:

$ vault operator init -key-shares=6 -key-threshold=3
Unseal Key 1: RntjR...DQv
Unseal Key 2: 7E1bG...0LL+
Unseal Key 3: AEuhl...A1NO
Unseal Key 4: bZU76...FMGl
Unseal Key 5: DmEjY...n7Hk
Unseal Key 6: pC4pK...XbKb

Initial Root Token: s.F0JGq..98s2U

Vault initialized with 10 key shares and a key threshold of 3. Please
securely distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

In order to unseal the vault cluster, we need to supply it with 3 key shares:

$ vault operator unseal RntjR...DQv
$ vault operator unseal bZU76...FMGl
$ vault operator unseal pC4pK...XbKb

Ensure the vault is unsealed:

$ vault status -format=json
  "type": "shamir",
  "initialized": true,
  "sealed": false,
  "t": 3,
  "n": 5,
  "progress": 0,
  "nonce": "",
  "version": "1.1.0",
  "migration": false,
  "cluster_name": "vault-cluster-dca2b572",
  "cluster_id": "469c2f1d-xx-xx-xx-03bfc497c883",
  "recovery_seal": false

Authenticate against the vault:

$ vault login s.tdlEqsfzGbePVlke5hTpr9Um
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Using the cli your auth token will be saved locally at ~/.vault-token.

Enable the secret kv engine:

$ vault secrets enable -version=1 -path=secret kv

Create and Read Secrets

Write a secret to the path enabled above:

$ vault kv put secret/my-app/password password=123

List your secrets:

$ vault kv list secret/

Read the secret (defaults in table format):

$ vault kv get secret/my-app/password
Key                 Value
---                 -----
refresh_interval    768h
password            123

Read the secret in json format:

$ vault kv get --format=json secret/my-app/password
  "request_id": "0249c878-7432-9555-835a-89b275fca32o",
  "lease_id": "",
  "lease_duration": 2764800,
  "renewable": false,
  "data": {
    "password": "123"
  "warnings": null

Read only the password value in the secret:

$ vault kv get -field=password secret/my-app/password

Key with Multiple Secrets

Create a key with multiple secrets:

$ vault kv put secret/reminders/app username=root password=secret

Read all the secrets:

$ vault kv get --format=json secret/reminders/app
  "request_id": "0144c878-7532-9555-835a-8cb275fca3dd",
  "lease_id": "",
  "lease_duration": 2764800,
  "renewable": false,
  "data": {
    "db_username": "",
    "password": "secret",
    "username": "root"
  "warnings": null

Read only the username field in the key:

$ vault kv get -field=username secret/reminders/app

Delete the secret:

$ vault kv delete secret/reminders


Create a key and set the metadata to max of 5 versions:

$ vault kv metadata put -max-versions=5 secret/fooapp/appname

Get the metadata of the key:

$ vault kv metadata get secret/fooapp/appname
======= Metadata =======
Key                Value
---                -----
cas_required       false
created_time       2019-04-07T12:35:54.355411Z
current_version    0
max_versions       5
oldest_version     0
updated_time       2019-04-07T12:35:54.355411Z

Write a secret appname to our key: secret/fooapp/appname:

$ vault kv put secret/fooapp/appname appname=app1
Key              Value
---              -----
created_time     2019-04-07T12:36:41.7577102Z
deletion_time    n/a
destroyed        false
version          1

Overwrite the key with a couple of requests:

$ vault kv put secret/fooapp/appname appname=app2
$ vault kv put secret/fooapp/appname appname=app3

Read the current value:

$ vault kv get -field=appname secret/fooapp/appname

Get the version=2 value of this file:

$ vault kv get -field=appname -version=2 secret/fooapp/appname

Thank You

Thanks for reading, if you like my content, feel free to check out my website, and subscrube to my newsletter or follow me at @ruanbekker on Twitter.

Buy Me A Coffee