IBM Cloud Docs
Setting up the Vault CLI

Setting up the Vault CLI

If you're already using the HashiCorp Vault command-line interface (CLI), you can use its CLI format and guidelines to interact with IBM Cloud® Secrets Manager.

All operations follow the guidelines that are available for the Vault CLI. To learn more about using the Vault CLI, check out the Vault documentation.

Prerequisites

  • Download and install the Vault CLI.

  • Create an IBM Cloud API key or generate an IBM Cloud IAM access token.

    By providing your account credentials, Vault can understand who you are and whether you have the correct level of access to run specific Vault commands against your Secrets Manager instance.

  • Optional: Download and install jq.

    jq helps you slice up JSON data. You use jq in this tutorial to grab and use an access token that's returned when you call the IAM Identity Service API.

Setting up your environment

First, set up your environment to access a Secrets Manager service instance by using Vault. Start by creating a shell script that sets the credentials that are needed to authenticate to Vault.

  1. In a project directory, create a login-vault.sh file.

    touch login-vault.sh

  2. Copy and paste the following script into login-vault.sh and update the placeholder values.

    #!/bin/sh

IBM_CLOUD_API_KEY="xxxxx"

export VAULT_ADDR="https://<instance_ID>.<region>.secrets-manager.appdomain.cloud"

export IAM_TOKEN=`curl -s -X POST \
"https://iam.cloud.ibm.com/identity/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Accept: application/json" \
-d "grant_type=urn%3Aibm%3Aparams%3Aoauth%3Agrant-type%3Aapikey&apikey=$IBM_CLOUD_API_KEY" | jq -j ".access_token"`

    Replace the placeholder values according to the following table.

    Table 1. Required variables that are needed to extract a token
    Variable Description
    IBM_CLOUD_API_KEY An IBM Cloud API key that has at least Viewer platform access and Reader service access to your Secrets Manager instance.
    VAULT_ADDR The Vault API endpoint that's unique to your Secrets Manager instance.

    You can find your unique endpoint URL in the Endpoints page of the Secrets Manager UI, or by retrieving it by HTTP request.

  3. Mark the file as executable by running the chmod command in your command line.

    chmod +x login-vault.sh

  4. Run the script to set your environment variables.

    source ./login-vault.sh

  5. Optional. Verify that the environment variables are set correctly by printing them to your command line window.

    echo $VAULT_ADDR && echo $IAM_TOKEN

    The output might look similar to the following example.

    https://e415e570-f073-423a-abdc-55de9b58f54e.us-south.secrets-manager.appdomain.cloud
eyJraWQiOiIyMDIwMTAxODE3MDEiLCJhbGciOiJSUzI1NiJ9.eyJpYW1faWQi...(truncated)

Logging in to Vault

After you configure your environment, log in to Vault to start interacting with your Secrets Manager instance.

  1. Authenticate to Vault by using your IBM Cloud IAM token.

    vault write auth/ibmcloud/login token=$IAM_TOKEN

    The following screen shows the example output.

    Key                      Value
---                      -----
token                    s.5DQYF57xU1qOAIj2PhnMC39H
token_accessor           C14JDJ6KtwQKQR5UNR5NIC7J
token_duration           1h
token_renewable          true
token_policies           ["default" "instance-manager"]
identity_policies        []
policies                 ["default" "instance-manager"]
token_meta_grant_type    urn:ibm:params:oauth:grant-type:apikey
token_meta_name          test-ibm-cloud-api-key
token_meta_resource      crn:v1:bluemix:public:secrets-manager:us-south:a/791f5fb10986423e97aa8512f18b7e65:e415e570-f073-423a-abdc-55de9b58f54e::
token_meta_user          iam-ServiceId-222b47ab-b08e-4619-b68f-8014a2c3acb8
token_meta_bss_acc       791f5fb10986423e97aa8512f18b7e65

  2. Log in to Vault by using the token value that was returned in the previous step.

    vault login <token>

    The following screen shows the example output.

    Success! You are now authenticated. The token information displayed is
already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                      Value
---                      -----
token                    s.6yFk0Z1IRi0Yc5DtwIKuENDJ
token_accessor           BnEHQuAxTiHJGhP1x0hNqagV
token_duration           57m58s
token_renewable          true
token_policies           ["default" "instance-manager"]
identity_policies        []
policies                 ["default" "instance-manager"]
token_meta_grant_type    urn:ibm:params:oauth:grant-type:apikey
token_meta_name          test-ibm-cloud-api-key
token_meta_resource      crn:v1:bluemix:public:secrets-manager:us-south:a/791f5fb10986423e97aa8512f18b7e65:e415e570-f073-423a-abdc-55de9b58f54e::
token_meta_user          iam-ServiceId-222b47ab-b08e-4619-b68f-8014a2c3acb8
token_meta_bss_acc       791f5fb10986423e97aa8512f18b7e65

    Now you can use Vault CLI commands to interact with your Secrets Manager instance. To find out more, check out the CLI reference.