Access a Vault Cluster on HCP

5min
HCP
Vault

Now that you have created a new HCP Vault instance, you will need to perform some initial configuration to support your use case such as enabling secrets engines to store or generate secrets, or adding additional auth methods to allow users or applications to authenticate with HCP Vault.

HCP Vault provides the same type of access as a traditional Vault cluster. You can access it through a command line interface (CLI) using the Vault binary, through the Vault API using common programming languages or tools such as cURL, or by using the Vault User Interface (UI).

Access the Vault cluster

Security consideration

When an HCP Vault cluster has public access enabled, you can connect from any internet connected device. When the HCP Vault cluster has private access enabled you will need to access the cluster from a connected cloud provider such as AWS with a VPC peering connection, a AWS transit gateway connection, or Azure with a Azure Virtual Network peering connection. For the purposes of this tutorial, your cluster should have public access enabled.

From Overview page, click Generate token in the New admin token card.
Click Copy to copy the new token to your clipboard
Under Quick actions in the Access web UI card, click the Public Cluster URL. A new tab/window will open.
Enter the token in the Token field.
Click Sign In. Notice that your current namespace is admin/.

Prerequisite

To connect with Vault using the CLI, follow the Install Vault tutorial to download and install the Vault binary then return to this tutorial.

Under Quick actions, click Public Cluster URL.
In a terminal, set the VAULT_ADDR environment variable to the copied address.
```
$ export VAULT_ADDR=<Public_Cluster_URL>
```

Verify your connectivity to the Vault cluster.

$ vault status

Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    1
Threshold                1
Version                  1.6.0+ent
Storage Type             raft
...snipped...

The Vault server is initialized and unsealed. By default Vault enables the token authentication method.

Return to the Overview page and click Generate token.
Within a few moments a new token will be generated.
Copy the Admin Token.

Return to the terminal and login with Vault. When prompted, enter the generated admin token.

$ vault login
Token (will be hidden): <token>

The <token> placeholder represents the copied token value.

Example output:

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

token                hvs.QRSTUV-WXypd-96-ANTSChh5sqa5IB4ZVQ0Qo_iLBWaNIbnQGiYKImh2cy5raE1qZmtBd2lzTkJ3bExITjVZcjRhbFMuSjlxNGcQeg
token_accessor       CDeirnF8ijVMtkckQozs4hdk.J9q4g
token_duration       5h19m35s
token_renewable      false
token_policies       ["default" "hcp-root"]
identity_policies    []
policies             ["default" "hcp-root"]

View the current token configuration.

$ vault token lookup

Key                 Value
---                 -----
accessor            cTFg1IVnrsj1aanlwge5f32S.J9q4g
creation_time       1658344633
creation_ttl        1h
display_name        token
entity_id           cebf4e89-8f68-36c1-3325-68060d0e5cf1
expire_time         2022-07-20T20:17:13.323688775Z
explicit_max_ttl    0s
id                  hvs.QRSTUV-WXypd-96-ANTSChh5sqa5IB4ZVQ0Qo_iLBWaNIbnQGiYKImh2cy5raE1qZmtBd2lzTkJ3bExITjVZcjRhbFMuSjlxNGcQeg
issue_time          2022-07-20T19:17:13.323698855Z
meta                <nil>
namespace_path      admin/
num_uses            0
orphan              false
path                auth/token/create
policies            [default hcp-root]
renewable           true
ttl                 48m49s
type                service

Notice that namespace_path is set to admin/. This indicates that you are currently logged into the admin namespace.

Because you can create multiple namespaces, you should create a VAULT_NAMESPACE environment variable when configuring Vault.

Set the VAULT_NAMESPACE environment variable to admin.
```
$ export VAULT_NAMESPACE="admin"
```

Tip

The cURL examples in this tutorial use jq to process the JSON output for readability.

Under Quick actions, click the Public Cluster URL.
In a terminal, set the VAULT_ADDR environment variable to the copied address.
```
$ export VAULT_ADDR=<Public_Cluster_URL>
```
Return to the Overview page and click Generate token.
Within a few moments a new token will be generated.
Copy the Admin Token.
Return to the terminal and set the VAULT_TOKEN environment variable to the copied token value.
```
$ export VAULT_TOKEN=<token>
```

To verify the connectivity, invoke the Vault API to read the current token configuration.

Option 1: Specify the target namespace in the X-Vault-Namespace header.

$ curl --header "X-Vault-Token: $VAULT_TOKEN" \
   --header "X-Vault-Namespace: admin" \
   $VAULT_ADDR/v1/auth/token/lookup-self | jq -r ".data"

Option 2: Create and use an environment variable for the target namespace.

$ export VAULT_NAMESPACE=admin

Perform a token lookup.

$ curl --header "X-Vault-Token: $VAULT_TOKEN" \
   --header "X-Vault-Namespace: $VAULT_NAMESPACE" \
   $VAULT_ADDR/v1/auth/token/lookup-self | jq -r ".data"

Option 3: Prepend the API endpoint with the target namespace name ( <namespace_name>/auth/token/lookup-self).

$ curl --header "X-Vault-Token: $VAULT_TOKEN" \
   $VAULT_ADDR/v1/admin/auth/token/lookup-self | jq -r ".data"

Example output:

{
  "accessor": "CDeirnF8ijVMtkckQozs4hdk.J9q4g",
  "creation_time": 1658343950,
  "creation_ttl": 21600,
  "display_name": "token-hcp-root",
  "entity_id": "cebf4e89-8f68-36c1-3325-68060d0e5cf1",
  "expire_time": "2022-07-21T01:05:50.84419125Z",
  "explicit_max_ttl": 0,
  "id": "hvs.QRSTUV-WXypd-96-ANTSChh5sqa5IB4ZVQ0Qo_iLBWaNIbnQGiYKImh2cy5raE1qZmtBd2lzTkJ3bExITjVZcjRhbFMuSjlxNGcQeg",
  "issue_time": "2022-07-20T19:05:50.84421504Z",
  "meta": null,
  "namespace_path": "admin/",
  "num_uses": 0,
  "orphan": true,
  "path": "auth/token/create/hcp-root",
  "policies": [
    "default",
    "hcp-root"
  ],
  "renewable": false,
  "role": "hcp-root",
  "ttl": 19083,
  "type": "service"
}

Note

Remember that the initial namespace is admin when you are connecting to your HCP Vault cluster.

Next steps

You logged into and accessed the HCP Vault cluster at the admin namespace. In Vault Enterprise, each namespace can be treated as its own isolated Vault environment. Learn more about namespaces in the Multi-tenancy with Namespaces tutorial.