HashiCorp Certified: Vault Associate Certification
Learning the Vault Architecture
Vault Configuration File
In this guide, you’ll learn how to configure HashiCorp Vault for reliable, long-term operation—whether you’re running a single-node server or a multi-node cluster. Vault servers load their settings from a configuration file written in HCL or JSON. This file defines:
- Storage backend (Consul, S3, DynamoDB, Integrated Storage)
- Listener settings (API and cluster addresses, ports, TLS)
- Seal mechanism (AWS KMS, Azure KMS, Transit)
- Cluster parameters (cluster name, UI, API address, log level)
- Optional stanzas (telemetry, audit devices, etc.)
Running Vault with a Config File
To start Vault using your configuration file:
vault server -config /etc/vault.d/vault.hcl
Note
In production environments, manage Vault with a service manager like systemd or Windows Service Manager to ensure automatic startup and proper log handling.
Key Configuration Components
Component | Description | Example |
---|---|---|
Storage | Persistent data backend | storage "consul" { ... } |
Listener | Network interface, ports, and TLS settings | listener "tcp" { address = "0.0.0.0:8200" } |
Seal | Auto-unseal mechanism configuration | seal "awskms" { region = "us-east-1" } |
Telemetry | Metrics collection and export | telemetry { prometheus_retention_time = "24h" } |
Audit devices | Write-ahead logs of Vault requests and responses | audit "file" { path = "/var/log/vault_audit.log" } |
Configuration Structure
A Vault configuration file comprises multiple named stanzas and top-level parameters. Here’s the skeleton in HCL:
listener "tcp" {
<param1> = <value1>
<param2> = <value2>
}
seal "awskms" {
<param1> = <value1>
<param2> = <value2>
}
# Top-level settings
api_addr = "<address>"
ui = true
cluster_name = "<name>"
- listener: Defines the API port, cluster port, and TLS options.
- storage: Configures where Vault persists its data.
- seal: Sets up the auto-unseal provider (e.g., KMS).
- telemetry: Controls metrics export.
Top-level parameters include:
api_addr
cluster_addr
ui
cluster_name
log_level
Basic Stanza Examples
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_disable = true # Do NOT disable TLS in production
}
seal "awskms" {
region = "us-east-1"
kms_key_id = "12345678-abcd-1234-abcd-123456789101"
}
- listener: Binds Vault to all interfaces on ports 8200 (API) and 8201 (cluster).
- seal: Configures AWS KMS for automatic unseal.
Warning
Disabling TLS (tls_disable = true
) is insecure. Always enable TLS (tls_disable = false
) in production and provide valid certificates.
Production-Ready Configuration Example
Use this HCL template as a starting point for a highly available, production-grade Vault cluster:
storage "consul" {
address = "127.0.0.1:8500"
path = "vault/"
token = "1a2b3c4d-1234-abdc-1234-1a2b3c4d5e6a"
}
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_disable = false
tls_cert_file = "/etc/vault.d/client.pem"
tls_key_file = "/etc/vault.d/cert.key"
tls_disable_client_certs = true
}
seal "awskms" {
region = "us-east-1"
kms_key_id = "12345678-abcd-1234-abcd-123456789101"
endpoint = "example.kms.us-east-1.vpce.amazonaws.com"
}
api_addr = "https://vault-us-east-1.example.com:8200"
cluster_addr = "https://node-us-east-1.example.com:8201"
cluster_name = "vault-prod-us-east-1"
ui = true
log_level = "INFO"
- storage.consul: Persists Vault data to a local Consul agent.
- tls_disable = false: Enforces TLS; certificates must be valid.
- seal.awskms.endpoint: Uses a VPC endpoint for secure AWS KMS access.
Vault Contents vs. Config File
The Vault configuration file does not manage:
- Secrets Engines
- Auth Methods
- Audit Devices (beyond file/device declaration)
- Vault Policies, Entities, and Groups
These resources are created inside Vault after initialization and unseal, using the CLI or API.
Summary of Stanzas
Stanza | Required | Description |
---|---|---|
listener | Yes | API and cluster bindings, TLS settings |
storage | Yes | Backend for storing Vault data |
seal | No* | Auto-unseal provider |
telemetry | No | Metrics publishing settings |
audit | No | Audit device declarations |
database | No | Database credentials rotation |
*Vault can run without an auto-unseal seal stanza, but manual unseal is required at each startup.
Links & References
Watch Video
Watch video content
Practice Lab
Practice lab