HashiCorp Cloud Platform (HCP) Vault enables you to quickly deploy a Vault Enterprise cluster in AWS. As a fully managed service, it allows you to leverage Vault as a central secret management service while offloading the operational burden to the Site Reliability Engineering (SRE) experts at HashiCorp.
In this tutorial, you will deploy a Vault Enterprise cluster guided by the HCP portal quickstart.
You will need an HCP account.
Previous experience with Vault and Vault Enterprise are not required to deploy a Vault server in HCP.
»Create a Vault cluster
Launch the HCP Portal and login.
HashiCorp Cloud Platform (HCP) provides your account with an organization. Your account may invite others to join your organization or you may be invited to join other organizations.
Choose your organization.
From the Overview page, click Deploy Vault.
At the Create a HashiCorp Virtual Network page, you can accept or modify the default Network name.
Select the desired AWS region from the Region selection drop-down list.
Accept or modify the default CIDR block.
Click Create network. This takes a few minutes.
Once the network is created, click +Create cluster and select Vault.
Accept or edit the default Cluster ID (
Under Choose a tier, select Development for this tutorial.
For a development cluster, Extra Small is the only available cluster size.
Shift the toggle button for the Allow public connections from outside our selected network option.
Click Create cluster.
»Vault cluster overview
The Vault page displays the created Vault cluster. Within that view, the Overview tab displays the Vault configuration. These details enable you to administer the Vault server through the Web UI or command-line interface (CLI).
NOTE: The cluster is created with a top-level Namespace called
enable you to create isolated Vault environments.
»Access the Vault cluster
Under Vault configuration, click the Public Cluster URL.
In a new browser window, enter the copied address.
The login page is displayed. By default Vault enables the token authentication method.
Return to the Vault configuration and click +Generate token. When a confirmation dialog appears, click Generate admin token to proceed. An Admin Token pop-up dialog displays the token.
Copy the Admin Token.
Return to the Vault UI, enter the token in the Token field.
Click Sign In. Notice that your current namespace is
Login did not require you to specify the
admin namespace because it is
embedded in the token. For example, the token
defines its type (
s), the token (
jcB5UmbkSYut4HBMY8GDPC8Q), and the
You created a Vault cluster and logged into the cluster at its
namespace. In Vault Enterprise, each namespace can be treated as its own
isolated Vault environment. Learn more about namespaces in the Multi-tenancy
with Namepaces tutorial.