HashiCorp Cloud Platform (HCP) Vault provides access to critical operational tasks, such as sealing the cluster, accessing audit logs, and managing data snapshots.
In this tutorial, you will perform these operational tasks.
NOTE: This tutorial assumes that you created and connected to the HCP Vault cluster in the Create a Vault Cluster on HashiCorp Cloud Platform (HCP) tutorial.
»Seal and unseal the Vault cluster
Intrusion detection or data breaches may require you to seal the Vault cluster.
WARNING: Sealing a cluster prevents all access to the cluster until it is unsealed.
»Seal the cluster
Under Security, click Seal this cluster.
A Seal Vault? pop-up dialog displays a warning and explanation of the seal operation.
Enter
SEALinto the Confirm seal field.
Click Seal to proceed. When it completes, the cluster state changes to Sealed.
»Unseal the cluster
Click Unseal this cluster.
A Are you sure you want to unseal Vault? pop-up dialog displays a warning and explanation of the unseal operation.
Enter
UNSEALinto the Confirm unseal field.Click Unseal.
The Vault cluster unseals. The Vault Overview page displays the Vault configuration and available operations.
»Data snapshots
NOTE: Snapshots are not available for Dev tier clusters. Since you created a development cluster to go through this tutorial, this section is informational only.
Preserving Vault data is critical to production operations and particularly for disaster or sabotage recovery purposes. Vault offers a snapshot functionality for the underlying storage to preserve data based on your requirements.
»Create snapshot
Follow these steps to manually snapshot your Vault data as needed.
Select the Snapshots tab.
The view displays a history of the snapshots created.
Click Create a snapshot. A Create snapshot pop-up dialog displays.
Enter a name in the Snapshot name field.
Click Create snapshot.
The view displays the snapshot history. The latest snapshot is appended to the snapshot list. While the snapshot is in progress it will display a pending animation in the Status column.
NOTE: The duration of time needed for the snapshot to complete can vary and largely depends on the size the of data stored in your Vault cluster.
When the snapshot operation completes and the snapshot is available, the Status changes to Stored.
NOTE: HCP persists the snapshots for up to 30 days after creation, checks every 24 hours, and prunes expired snapshots.
»Restore snapshot
You can use the snapshots to restore data if it ever becomes necessary.
Select the Snapshots tab.
Select the ellipsis (...) menu next to the snapshot entry, and choose Restore.
A confirmation dialog appears; enter
RESTOREand click Restore snapshot to confirm restoration.A final dialog appears to inform you that the restoration of the selected snapshot is in progress.
NOTE: You will also notice in this screenshot example, that a second snapshot is created just before the snapshot is restored. It is a periodic snapshot taken before the restore so that you can roll back from the restore to a point in time before it occurred if necessary.
»Delete snapshot
When you need to delete data snapshots, you can do so by following these steps.
Select the Snapshots tab.
Select the ellipsis (...) menu next to the snapshot entry, and choose Delete.
A confirmation dialog appears; enter
DELETEand click Delete snapshot to confirm snapshot deletion.A Snapshot deleting dialog appears. Once the snapshot is deleted, it no longer appears in the snapshot list.
»Access the audit log for troubleshooting
NOTE: Audit logging is not available on Dev-tier clusters. Since you created a development cluster to go through this tutorial, this section is informational only.
Effective troubleshooting of requests and responses to Vault requires access to the audit device logs.
HCP Vault enables a File Audit Device by default. This device provides the last hour of Vault requests in a downloadable archive. These logs may be imported into your preferred tooling for auditing and troubleshooting.
From the Vault cluster overview page, select Audit Logs.
From the Audit logs view, click the Download button within the Download audit logs box.
A Download audit logs pop-up dialog displays.Use the Start date and Start time components to specify the audit log starting position. The log file will cover a 1 hour period after the date and time that you select.
When the archive is created, a new Download audit logs pop-up dialog displays. The archive is presented with the specific time-frame covered by the log file.
NOTE: The file is only available to download for 10 minutes; after this time elapses, you must begin the download process from the first step.
Click the download icon.
The downloaded file is a gzip compressed file. The filename contains the start
and end timestamps as part of its filename (e.g.
auditlogs-vault-cluster-202102021400-202102021500.gz).
Refer to the HCP Vault Monitoring tutorial collection to learn how to stream out your audit logs to Datadog, Grafana Cloud, or Splunk.
»Next steps
You sealed the cluster, accessed audit logs, and managed data snapshots.
Learn more about Vault operations exploration of the Operations Fundamentals tutorials.
»Additional tutorials
If you want to create a transit gateway attachment from your Amazon Transit Gateway to your HCP Virtual Network (HVN), go through the Connect an Amazon Transit Gateway to your HashiCorp Virtual Network tutorial.
The Policies collection lists additional tutorials that cover more advanced policy examples.
Vault offers a number of secrets engines. To learn more, visit the Secrets Management collection and learn how to enable and configure secrets engines that you are interested in.
When you are ready to integrate your applications to read secrets from Vault, visit the App Integration collection for examples.
