Deploying HashiCorp Vault with AWS Secrets Engine
1.9 (6 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
25 students enrolled

Deploying HashiCorp Vault with AWS Secrets Engine

Eliminate the need for IAM access keys, secret access keys with HashiCorp Vault's AWS Secrets Engine integration!
1.9 (6 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
25 students enrolled
Created by Troy Dieter
Last updated 10/2019
Current price: $13.99 Original price: $19.99 Discount: 30% off
5 hours left at this price!
30-Day Money-Back Guarantee
This course includes
  • 41 mins on-demand video
  • 10 downloadable resources
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
Training 5 or more people?

Get your team access to 4,000+ top Udemy courses anytime, anywhere.

Try Udemy for Business
What you'll learn
  • How to deploy HashiCorp Vault in AWS
  • Integrating the AWS Secrets Engine into HashiCorp Vault to eliminate the need for access keys, secret access keys
  • Working knowledge of AWS with access to deploy to AWS EC2, IAM, DynamoDB & Route53
  • Intermediate understanding of AWS IAM Roles & Policies
  • General understanding of encryption & PKI

HashiCorp Vault is a secure way to control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API. Adding the AWS Secrets Engine authentication method allows you to generate AWS access credentials dynamically based on IAM policies. This eliminates the need for access key & secret access key management and rotation as all keys are dynamically generated and have a lease time!

This course will demonstrate:

  • Setting up your AWS environment for a Vault deployment

  • High availability and scaling for HashiCorp Vault

  • AWS secrets engine authentication integration

  • Use cases and security hardening

Who this course is for:
  • AWS Engineers, Architects, SRE's & Security Teams
Course content
Expand 10 lectures 41:08
+ Introduction
10 lectures 41:08

In this lecture, we will cover the course content and the benefits of using HashiCorp Vault with the AWS secrets engine integration.

Preview 02:06

In this lecture we'll cover the terminology used in the remainder of the course. Also, we will cover what the actual deployment will look like once completed.

Preview 02:54

In this lecture, you will be provisioning the AWS resources needed to support the Vault environment. All steps are provided including the downloadable materials which need to be used. Please view Lecture 9 for a walk-through of deploying the 2 Availability Zone VPC using CloudFormation if needed.

An AWS CloudFormation and CDK (Cloud Development Kit) template will be available soon! We are also working on an Ansible Playbook that will deploy the resources. All of these future resources are included with your purchase. We will notify subscribers when it is available.

Preview 07:19

In this lecture, we will create the needed Route53 record set to point to the alias Elastic Load Balancer. We will also initialize and unseal the Vault. An example of the payload.json mentioned in the video is in the Downloadable Materials section.

Set up HashiCorp Vault on AWS

In this lecture, you will enable the AWS secrets engine and create a new role for a Data Scientist. You will also generate token based, temporary access key & secret access keys using this new role! 

AWS secrets engine configuration

Various authentication methods (including user\pass, LDAP (including AD), token-based, key-value) are available to extend the abilities of Vault. Browse to the below external resource to view Vault's official documentation on extending Vault's capabilities to include additional authentication methods.

Adding various authentication methods to extend Vault

This lecture will cover a walk-through of using vault-credential-rotator ( which allows for:

  • Easy vault key rotation stored in your AWS credential store

  • Supported in Windows, Linux & MacOS

  • Supports LDAP authentication method

Additional Content: Using vault-credential-rotator

This lecture will cover the use of the AppRole authentication method, and how to generate the required credentials to distribute. The script referenced in the lecture is provided here as well ( Ensure the values are changed accordingly, which are demonstrated in the lecture video.

Generating AppRole authentication credentials to be used with AWS secrets engine

A brief walk-through of deploying the 2AZ in VPC using CloudFormation in the AWS console. Please perform these steps prior to Lecture 3 to ensure proper order.

Deploying a 2 availability zone VPC with CloudFormation

In this lecture, we'll briefly cover the deployment of HashiCorp Vault using a Helm Chart to a Kubernetes cluster. Feel free to follow Lecture 5 & 6 to configure the AWS secrets engine after deploying via Helm.

The guide used in the video is available via the External Resources links.

Set up HashiCorp Vault using a Helm chart on Kubernetes