Starting the Vault Sever in Development Mode

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Opening the AWS Cloud9 IDE
lock
Installing HashiCorp Vault
lock
Starting the Vault Sever in Development Mode
lock
Understanding the LDAP Directory
lock
Creating Vault Policies for the Organization
lock
Configuring Vault LDAP Authentication
lock
Testing the LDAP Authentication and Access Policies
lock
Validate AWS Lab
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

Vault follows a client-server architecture. The Vault server has exclusive access to storage and secrets. All client requests go through the Vault server's API. Vault client requests can be sent to the Vault server's API using HTTP or the Vault command-line client, which is a wrapper around HTTP requests. The Vault server includes a development mode that performs several initialization steps to let you start working with Vault immediately. Development mode is not suitable for production because it does not provide the highest levels of security. However, it is sufficient for the purpose of the Lab, which is not focused on bootstrapping Vault servers.

In this Lab Step, you will start a Vault server in development mode and perform a few commands to verify its functionality.

 

Instructions

1. Enter the following command to start a Vault server in development mode using default configuration values:

Copy code
vault server -dev

alt

The output begins by stating several configuration properties. In development mode, the server listens over tcp with tls disabled. TLS encrypts the secrets in transit and should always be enabled in production. The development server is also using in-memory (inmemStorage, which would usually be replaced by a more durable storage option

The yellow WARNING! explains that you are running in dev mode. The server is unsealed, meaning it has constructed the master key needed for encryption operations, and the root token is already authenticated to the CLI, meaning you can perform any operation using the CLI.

 

2. Open a new terminal by clicking the + tab to the right of the current terminal tab, and clicking New Terminal:

alt

The Vault server is running in the foreground in the original tab. You can leave the Vault server's tab alone, and check its output stream at any point to view any server information messages.

 

3. Enter the following to set the Vault server address environment variable for the Vault CLI:

Copy code
export VAULT_ADDR='http://127.0.0.1:8200'

This command is provided in the Vault server's output. Even though the default host and port (127.0.0.1:8200) are being used, the CLI defaults to using HTTPS instead of HTTP. Because TLS is disabled, you need to specify http:// as the protocol.

 

4. Check the status of the Vault server using the Vault CLI client:

Copy code
vault status

alt

You can confirm that the server is unsealed (Sealed is false).

 

Summary

In this Lab Step, you started a Vault server in development mode, and understood when it is acceptable for using development mode. You also used the Vault CLI client to connect to the Vault server, and confirm it is running and ready to work with.