Create a Vault cluster on HCP
HashiCorp Cloud Platform (HCP) Vault enables you to quickly deploy a Vault Enterprise cluster in a supported public cloud provider. As a fully managed service, it allows you to leverage Vault as a central secret management service while offloading the operational burden to the Site Reliability Engineering (SRE) experts at HashiCorp.
In this tutorial, you will deploy a Vault Enterprise cluster guided by the HCP portal.
Prerequisites
You will need an HCP account.
Note
Previous experience with Vault and Vault Enterprise are not required to deploy a Vault server in HCP.
Create a Vault cluster
Note
This tutorial assumes you have not previously created HashiCorp Virtual Network (HVN) in your HashiCorp Cloud Platform account.
Launch the HCP Portal and login.
If you have logged in before, the portal opens the last project you were in. Navigate back to the organization level from the breadcrumbs, or click on the HashiCorp icon at the top-left to choose other organization.
Click on the HashiCorp icon to list your organizations, and select the organization to create an HCP Vault cluster in.
HashiCorp Cloud Platform (HCP) provides your account with an organization. Your account may invite others to join your organization or you may be invited to join other organizations.
Click Projects, and select the target project.
- Click + Create project.
- Enter the Project name and Project description.
- Click Create project to complete.
From the Overview page, click Get started with Vault.
From the Vault overview page you have the option to deploy HCP Vault using a Quick Deploy Template which deploys Vault with a sample configuration or you can choose to Start from scratch which deploys a standard Vault instance with no existing configuration.
For the purposes of these tutorials and learning about Vault, click the Create cluster button under Start from scratch.
Select your preferred cloud provider.
Click the Vault tier pull down menu and select Development.
Tip
The development tier should not be used for production workloads.
Click the Cluster size pull down menu and select Extra Small.
For the development tier, Extra Small is the only available cluster size.
Under the Network section, accept or edit the Network ID, Region selection, and CIDR block for the HVN.
Note
You can learn how to connect to a private HCP Vault cluster on AWS in the Connect an Amazon Transit Gateway to your HashiCorp Virtual Network or Peering an AWS VPC with HashiCorp Cloud Platform (HCP) tutorials, or the Peering an Azure Virtual Network with HashiCorp Cloud Platform (HCP) tutorial for Azure.
Leave Cluster accessibility set to Public.
Security consideration
All new development tier HCP Vault clusters are configured with public access enabled by default. This means clients can connect from anywhere. For production tiers (starter, standard, and plus) private access will be enabled by default. This means you can only connect from a transit gateway or peered VPC (AWS) or VNet (Azure)
Under the Basics section, accept or edit the default Cluster ID (
vault-cluster
).Under Templates, select Start from scratch. Templates provide sample configurations for various use cases.
Click Create cluster.
Wait for the cluster to initialize before proceeding.
Vault cluster overview
The Vault page displays the created Vault cluster. Within that view, the Overview page displays information to help you learn about HCP Vault, Vault configuration, Vault usage, and cluster details. The Access Vault pane contains details that enable you to administer the Vault cluster through the Web UI or command-line interface (CLI).
Note
The cluster is created with a top-level Namespace called
admin
. Namespaces
enable you to create isolated Vault environments.
Review the Cluster Details pane.
Cluster details provide helpful information about your HCP Vault cluster.
Review the Quick actions pane.
The Quick actions pane provides details for accessing your new HCP Vault cluster. You can use the Cluster URLs links to Copy the public or private addresses, and use the Generate token link to generate a new admin token to perform the initial configuration of the HCP Vault cluster.