I have a small EKS cluster running Vault with Raft as the storage backend. How do I allow other people to play around with Vault (and be able to access the Web UI) without having to log into the pods? I think I would need to create a K8s Ingress (similar to this question), is that correct? I’m not necessarily looking for an answer with code, just want to make sure I’m on the right track.
My goal is just to stand up a test Vault server (it could be in Dev mode) for a few people to use and just see how it functions. I’d like for them to be able to access Vault on their own machines, without having to log into a K8s pod or EC2 instance. I thought about setting up a Vault server in Dev mode on an Amazon Linux EC2 instance, but I believe that would need to be port forwarded to work. If there any suggestions, please let me know. Thank you in advance as I continue to learn this product!
Yes you’d need to have some method for accessing the port. For Kubernetes that might be an ingress while for an EC2 instance that might just be security group rules or an ALB/NLB.
I would caution against using dev mode. It is only really designed for short term playing around, as all data is stored in memory. As soon as the application is stopped you lose everything and have to start again from scratch.
I think we need more information here, what is stopping your team from accessing Vault. Vault is not a local application, it’s available over the network over port 8200 by default. So what’s stopping them from visiting the IP:8200 of the ingress and accessing the UI?
If you’re asking about authentication, there is a simple static userpass auth engine that you can setup and just create everyone accounts.
Public IP, all Security Group inbound/outbound traffic open (this instance is just for temporary testing)
Vault running in Dev mode
If the EC2 public IP is 1.2.3.4, how do I run Vault commands from my local machine? From my local machine, if I run export VAULT_ADDR=‘http://127.0.0.1:8200’, export VAULT_TOKEN=, then try vault status, it returns “Error checking seal status: Get “http://127.0.0.1:8200/v1/sys/seal-status”: dial tcp 127.0.0.1:8200: connect: connection refused”.
From the local machine, running export VAULT_ADDR=‘http://1.2.3.4:8200’, export VAULT_TOKEN, then vault status returns the same error.
I tried doing a port forward by running: ssh -i ec2-user@1.2.3.4 -L 8080:1.2.3.4:8200 but that doesn’t seem to do anything; I can’t access the web UI with this.
127.0.0.1 is “localhost” which will try to connect to the machine where the command is running.
Without any other configuration Vault (dev mode) will bind to 127.0.0.1, which again is localhost ONLY. It isn’t going to accept connections from any other networks, including the public ip address you assigned to the EC2 instance.
Vault dev mode is for “testing” and development on your local machine, that’s why default it does bind to anything else.
You have to configure Vault to bind to the public IP.