# This goal of this script is to create a Vault instance for use as a lab system.
# The computer used must have outbound access to the Internet.
# The script will download all the required executables.
#
#
# Install Vault.
# Set up a folder structure for Vault and its data
$programPath = (Get-WmiObject Win32_OperatingSystem).SystemDrive + '\Program Files\vault'
$dataPath = (Get-WmiObject Win32_OperatingSystem).SystemDrive + '\vault'
$installFilesPath = (Get-WmiObject Win32_OperatingSystem).SystemDrive + '\vault\installFiles'
New-Item -ItemType Directory -Path $programPath -Force
New-Item -ItemType Directory -Path $dataPath -Force
New-Item -ItemType Directory -Path "$dataPath\config" -Force
New-Item -ItemType Directory -Path "$dataPath\logs" -Force
New-Item -ItemType Directory -Path "$dataPath\scripts" -Force
New-Item -ItemType Directory -Path "$dataPath\raft" -Force
New-Item -ItemType Directory -Path "$dataPath\policies" -Force
New-Item -ItemType Directory -Path $installFilesPath -Force
# get the software
$vaultURL = 'https://releases.hashicorp.com/vault/1.13.0/vault_1.13.0_windows_amd64.zip'
Invoke-webrequest -URI $vaultURL -OutFile $vaultOutFile
$vaultOutFile = "$installFilesPath\vault_1.13.0_windows_amd64.zip"
# install the software
Expand-Archive -Path $vaultOutFile -DestinationPath $programPath
# add executables to the path
[Environment]::SetEnvironmentVariable(
"Path",
[Environment]::GetEnvironmentVariable("Path", [EnvironmentVariableTarget]::Machine) + ";C:\Program Files\vault",
[EnvironmentVariableTarget]::Machine)
# add environment variables Vault uses
[Environment]::SetEnvironmentVariable(
"VAULT_API_ADDR",
"http://127.0.0.1:8100",
[EnvironmentVariableTarget]::Machine)
[Environment]::SetEnvironmentVariable(
"VAULT_ADDR",
"http://127.0.0.1:8100",
[EnvironmentVariableTarget]::Machine)
[Environment]::SetEnvironmentVariable(
"VAULT_CLUSTER_ADDR",
"http://127.0.0.1:8101",
[EnvironmentVariableTarget]::Machine)
# Manual - Create Vault config c:\vault\config\vault-config.hcl
<#
disable_mlock = true
ui = true
listener "tcp" {
address = "127.0.0.1:8100"
tls_disable = "true"
}
storage "file" {
path = "c:/vault/raft"
}
#>
# Create the initial policies
$vaultAdministratorPolicy = @"
# Allow managing leases
path "sys/leases/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage auth methods broadly across Vault
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create, update, and delete auth methods
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
# List auth methods
path "sys/auth"
{
capabilities = ["read"]
}
# List existing policies
path "sys/policies/acl"
{
capabilities = ["read","list"]
}
# Create and manage ACL policies
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List, create, update, and delete key/value secrets
path "Secrets/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage secret engines
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secret engines.
path "sys/mounts"
{
capabilities = ["read"]
}
# Read health checks
path "sys/health"
{
capabilities = ["read", "sudo"]
}
"@
$passwordUserPolicy = @"
path "Secrets/data/RestrictedAccess/*" {
capabilities = ["list"]
}
path "Secrets/*" {
capabilities = ["read","update","list"]
}
"@
$passwordSuperUserPolicy = @"
path "Secrets/data/RestrictedAccess/*" {
capabilities = ["list"]
}
path "Secrets/*" {
capabilities = ["read","update","list"]
}
"@
$passwordAdministratorPolicy = @"
path "Secrets/*" {
capabilities = ["read","update","list"]
}
"@
$vaultAdministratorPolicy | Out-File -FilePath "$dataPath\policies\vaultAdministratorPolicy.hcl"
$passwordUserPolicy | Out-File -FilePath "$dataPath\policies\passwordUserPolicy.hcl"
$passwordSuperUserPolicy | Out-File -FilePath "$dataPath\policies\passwordSuperUserPolicy.hcl"
$passwordAdministratorPolicy | Out-File -FilePath "$dataPath\policies\passwordAdministratorPolicy.hcl"
# You now have all the setup and executables to run Vault on your computer to work with
# Exit to pick up system env changes. Reopen the ISE and load this file.
# The next step is to start and initilize the Vault.
Start-Job -ScriptBlock {Invoke-Expression -Command "c:\'Program Files'\vault\vault.exe server -log-level='trace' -config='c:/vault/config/vault-config.hcl' *>> 'c:/vault/logs/vault.log'"}
#Initilize the Vault and set the unseal process to require 1 token.
$vaultInitText = vault operator init -key-shares=1 -key-threshold=1
$unsealToken = $vaultInitText[0].split(' ')[3]
$rootToken = $vaultInitText[2].split(' ')[3]
# Copy the root and unseal to a text file.
$vaultInitText | Out-File -FilePath "$dataPath\config\vaultInitString.txt"
vault operator unseal $unsealToken
vault login $rootToken
# Now configure key/value (kv) secrets engines
vault secrets enable -path=Secrets kv
vault secrets enable -path=User kv
# Create the restricted use path. Note: Paths are created by creating a secret with the path you want
# If the last secret is under a subpath is deleted then that subpath is also removed.
vault kv put Secrets/RestrictedAccess/firstSecret ReadMe='Do not delete'
# create the test user paths under User
vault kv put User/vaultPasswordUser/firstSecret ReadMe='Do not delete'
vault kv put User/vaultPasswordAdmin/firstSecret ReadMe='Do not delete'
vault kv put User/vaultSuperPasswdUser/firstSecret ReadMe='Do not delete'
vault kv put User/vaultAdmin/firstSecret ReadMe='Do not delete'
# load the policies
# open a browser to http://localhost:8100
# login using the token method using the root token
# navigate to policies and manually load all the policies under your policies folder