HashiCorp Certified: Vault Associate Certification

Learning the Vault Architecture

Vault Configuration File

In this guide, you’ll learn how to configure HashiCorp Vault for reliable, long-term operation—whether you’re running a single-node server or a multi-node cluster. Vault servers load their settings from a configuration file written in HCL or JSON. This file defines:

  • Storage backend (Consul, S3, DynamoDB, Integrated Storage)
  • Listener settings (API and cluster addresses, ports, TLS)
  • Seal mechanism (AWS KMS, Azure KMS, Transit)
  • Cluster parameters (cluster name, UI, API address, log level)
  • Optional stanzas (telemetry, audit devices, etc.)

Running Vault with a Config File

To start Vault using your configuration file:

vault server -config /etc/vault.d/vault.hcl

Note

In production environments, manage Vault with a service manager like systemd or Windows Service Manager to ensure automatic startup and proper log handling.

Key Configuration Components

ComponentDescriptionExample
StoragePersistent data backendstorage "consul" { ... }
ListenerNetwork interface, ports, and TLS settingslistener "tcp" { address = "0.0.0.0:8200" }
SealAuto-unseal mechanism configurationseal "awskms" { region = "us-east-1" }
TelemetryMetrics collection and exporttelemetry { prometheus_retention_time = "24h" }
Audit devicesWrite-ahead logs of Vault requests and responsesaudit "file" { path = "/var/log/vault_audit.log" }

Configuration Structure

A Vault configuration file comprises multiple named stanzas and top-level parameters. Here’s the skeleton in HCL:

listener "tcp" {
  <param1> = <value1>
  <param2> = <value2>
}

seal "awskms" {
  <param1> = <value1>
  <param2> = <value2>
}

# Top-level settings
api_addr     = "<address>"
ui           = true
cluster_name = "<name>"
  • listener: Defines the API port, cluster port, and TLS options.
  • storage: Configures where Vault persists its data.
  • seal: Sets up the auto-unseal provider (e.g., KMS).
  • telemetry: Controls metrics export.

Top-level parameters include:

  • api_addr
  • cluster_addr
  • ui
  • cluster_name
  • log_level

Basic Stanza Examples

listener "tcp" {
  address         = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable     = true    # Do NOT disable TLS in production
}

seal "awskms" {
  region     = "us-east-1"
  kms_key_id = "12345678-abcd-1234-abcd-123456789101"
}
  • listener: Binds Vault to all interfaces on ports 8200 (API) and 8201 (cluster).
  • seal: Configures AWS KMS for automatic unseal.

Warning

Disabling TLS (tls_disable = true) is insecure. Always enable TLS (tls_disable = false) in production and provide valid certificates.

Production-Ready Configuration Example

Use this HCL template as a starting point for a highly available, production-grade Vault cluster:

storage "consul" {
  address = "127.0.0.1:8500"
  path    = "vault/"
  token   = "1a2b3c4d-1234-abdc-1234-1a2b3c4d5e6a"
}

listener "tcp" {
  address                  = "0.0.0.0:8200"
  cluster_address          = "0.0.0.0:8201"
  tls_disable              = false
  tls_cert_file            = "/etc/vault.d/client.pem"
  tls_key_file             = "/etc/vault.d/cert.key"
  tls_disable_client_certs = true
}

seal "awskms" {
  region     = "us-east-1"
  kms_key_id = "12345678-abcd-1234-abcd-123456789101"
  endpoint   = "example.kms.us-east-1.vpce.amazonaws.com"
}

api_addr     = "https://vault-us-east-1.example.com:8200"
cluster_addr = "https://node-us-east-1.example.com:8201"
cluster_name = "vault-prod-us-east-1"
ui           = true
log_level    = "INFO"
  • storage.consul: Persists Vault data to a local Consul agent.
  • tls_disable = false: Enforces TLS; certificates must be valid.
  • seal.awskms.endpoint: Uses a VPC endpoint for secure AWS KMS access.

Vault Contents vs. Config File

The Vault configuration file does not manage:

  • Secrets Engines
  • Auth Methods
  • Audit Devices (beyond file/device declaration)
  • Vault Policies, Entities, and Groups

These resources are created inside Vault after initialization and unseal, using the CLI or API.

Summary of Stanzas

StanzaRequiredDescription
listenerYesAPI and cluster bindings, TLS settings
storageYesBackend for storing Vault data
sealNo*Auto-unseal provider
telemetryNoMetrics publishing settings
auditNoAudit device declarations
databaseNoDatabase credentials rotation

*Vault can run without an auto-unseal seal stanza, but manual unseal is required at each startup.

Watch Video

Watch video content

Practice Lab

Practice lab

Previous
Vault Initialization