Access a HCP Vault Dedicated cluster

5min
|
HCP
Vault

Now that you have created a new HCP Vault Dedicated instance, you will need to perform some initial configuration to support your use case. A good practice is enabling auth methods to support user and workload authentication, and enabling secrets engines to store or generate secrets.

Vault Dedicated provides the same type of access as a self-hosted Vault cluster. You can access it through a command line interface (CLI) using the Vault binary, through the Vault API using common programming languages or tools such as cURL, or by using the Vault User Interface (UI).

Access the Vault cluster

Security consideration

When an HCP Vault Dedicated cluster has public access enabled, you can connect to Vault from any internet-connected device. If your use case requires public access, we recommend configuring the IP allow list to limit which IPv4 public IP addresses or CIDR ranges can connect to Vault.

When the HCP Vault Dedicated cluster has private access enabled, you will need to access the cluster from a connected cloud provider such as AWS with a VPC peering connection, an AWS transit gateway connection, or Azure with an Azure Virtual Network peering connection. For the purposes of this tutorial, your cluster should have public access enabled.

From the Overview page, click Generate token in the New admin token card.
Click Copy to copy the new token to your clipboard.
Click Launch web UI.
When the Vault UI launches in a new tab/window, enter the token in the Token field.
Click Sign In. Notice that your current namespace is admin/.

Prerequisite

To connect with Vault using the CLI, follow the Install Vault guide to download and install the Vault binary, then return to this tutorial.

Under Quick actions, click Public Cluster URL.
In a terminal, set the VAULT_ADDR environment variable to the copied address.
```
$ export VAULT_ADDR=<Public_Cluster_URL>
```

Verify your connectivity to the Vault cluster.

$ vault status

Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    1
Threshold                1
Version                  1.6.0+ent
Storage Type             raft
...snipped...

The Vault server is initialized and unsealed. By default, Vault enables the token authentication method.

Return to the Overview page and click Generate token.
Copy the Admin Token.

Return to the terminal and log in with Vault. When prompted, enter the generated admin token.

$ vault login
Token (will be hidden): <token>

The <token> placeholder represents the copied token value.

Example output:

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

token                hvs.QRSTUV-WXypd-96-ANTSChh5sqa5IB4ZVQ0Qo_iLBWaNIbnQGiYKImh2cy5raE1qZmtBd2lzTkJ3bExITjVZcjRhbFMuSjlxNGcQeg
token_accessor       CDeirnF8ijVMtkckQozs4hdk.J9q4g
token_duration       5h19m35s
token_renewable      false
token_policies       ["default" "hcp-root"]
identity_policies    []
policies             ["default" "hcp-root"]

View the current token configuration.

$ vault token lookup

Key                 Value
---                 -----
accessor            cTFg1IVnrsj1aanlwge5f32S.J9q4g
creation_time       1658344633
creation_ttl        1h
display_name        token
entity_id           cebf4e89-8f68-36c1-3325-68060d0e5cf1
expire_time         2022-07-20T20:17:13.323688775Z
explicit_max_ttl    0s
id                  hvs.QRSTUV-WXypd-96-ANTSChh5sqa5IB4ZVQ0Qo_iLBWaNIbnQGiYKImh2cy5raE1qZmtBd2lzTkJ3bExITjVZcjRhbFMuSjlxNGcQeg
issue_time          2022-07-20T19:17:13.323698855Z
meta                <nil>
namespace_path      admin/
num_uses            0
orphan              false
path                auth/token/create
policies            [default hcp-root]
renewable           true
ttl                 48m49s
type                service

Notice that namespace_path is admin/. This indicates that you are logged into the admin namespace.

Because you can create different namespaces, you should create a VAULT_NAMESPACE environment variable when accessing Vault.

Set the VAULT_NAMESPACE environment variable to admin.
```
$ export VAULT_NAMESPACE="admin"
```

Tip

The cURL examples in this tutorial use jq to process the JSON output for readability.

Under Quick actions, click the Public Cluster URL.
In a terminal, set the VAULT_ADDR environment variable to the copied address.
```
$ export VAULT_ADDR=<Public_Cluster_URL>
```
Return to the Overview page and click Generate token.
Copy the Admin Token.
Return to the terminal and set the VAULT_TOKEN environment variable to the copied token value.
```
$ export VAULT_TOKEN=<token>
```

To verify the connectivity, invoke the Vault API to read the current token configuration.

Option 1: Specify the target namespace in the X-Vault-Namespace header.

$ curl --header "X-Vault-Token: $VAULT_TOKEN" \
   --header "X-Vault-Namespace: admin" \
   $VAULT_ADDR/v1/auth/token/lookup-self | jq -r ".data"

Option 2: Create and use an environment variable for the target namespace.

$ export VAULT_NAMESPACE=admin

Perform a token lookup.

$ curl --header "X-Vault-Token: $VAULT_TOKEN" \
   --header "X-Vault-Namespace: $VAULT_NAMESPACE" \
   $VAULT_ADDR/v1/auth/token/lookup-self | jq -r ".data"

Option 3: Prepend the API endpoint with the target namespace name ( <namespace_name>/auth/token/lookup-self).

$ curl --header "X-Vault-Token: $VAULT_TOKEN" \
   $VAULT_ADDR/v1/admin/auth/token/lookup-self | jq -r ".data"

Example output:

{
  "accessor": "CDeirnF8ijVMtkckQozs4hdk.J9q4g",
  "creation_time": 1658343950,
  "creation_ttl": 21600,
  "display_name": "token-hcp-root",
  "entity_id": "cebf4e89-8f68-36c1-3325-68060d0e5cf1",
  "expire_time": "2022-07-21T01:05:50.84419125Z",
  "explicit_max_ttl": 0,
  "id": "hvs.QRSTUV-WXypd-96-ANTSChh5sqa5IB4ZVQ0Qo_iLBWaNIbnQGiYKImh2cy5raE1qZmtBd2lzTkJ3bExITjVZcjRhbFMuSjlxNGcQeg",
  "issue_time": "2022-07-20T19:05:50.84421504Z",
  "meta": null,
  "namespace_path": "admin/",
  "num_uses": 0,
  "orphan": true,
  "path": "auth/token/create/hcp-root",
  "policies": [
    "default",
    "hcp-root"
  ],
  "renewable": false,
  "role": "hcp-root",
  "ttl": 19083,
  "type": "service"
}

Note

Remember that the initial namespace is admin when you are connecting to your HCP Vault Dedicated cluster.

Summary

You logged into and accessed the Vault Dedicated cluster at the admin namespace. In Vault Enterprise, each namespace is its own isolated Vault environment. Learn more about namespaces in the Multi-tenancy with Namespaces tutorial.

Create a cluster

Enable multi-tenancy