This repository has been deprecated in favor of https://github.com/aws-ia/cfn-ps-hashicorp-vault.
We will archive this repository and keep it publicly available until May 1, 2024.
AWS Quick Start Team
License: Apache License 2.0
We will archive this repository and keep it publicly available until May 1, 2024.
Here's the exact error I get:
Parameters: [PublicSubnet3CIDR, PrivateSubnet2CIDR, AccessCIDR, PrivateSubnet1CIDR, PublicSubnet2CIDR, PublicSubnet1ID, PublicSubnet2ID, PrivateSubnet3CIDR, PublicSubnet3ID, PublicSubnet1CIDR] must have values
All those parameters do have values though:
AccessCIDR 0.0.0.0/0
PrivateSubnet1CIDR 10.0.0.0/19
PrivateSubnet2CIDR 10.0.32.0/19
PrivateSubnet3CIDR 10.0.64.0/19
PublicSubnet1CIDR 10.0.128.0/20
PublicSubnet2CIDR 10.0.144.0/20
PublicSubnet3CIDR 10.0.160.0/20
Almost forgot: I'm kicking this off from https://aws.amazon.com/quickstart/architecture/vault/ and am using the "Deploy into new VPC" option.
I seem to be getting the exact same error when attempting to deploy into our existing VPC. It appears to be an issue creating the ACM certificate. Manually creating the certificate and then defining it also results in the same error.
Values used:
Key | Value
ACMSSLCertificateArn | -
AccessCIDR | 0.0.0.0/0
BastionSecurityGroupID | sg-09346cbab09740be0
DomainName |
HostedZoneID | Z2K7DBB4T367G1
KeyPairName | vault-cluster
LoadBalancerType | Internal
PrivateSubnet1ID | subnet-ff21da88
PrivateSubnet2ID | subnet-6956f30c
PrivateSubnet3ID | subnet-e20f14a4
PublicSubnet1ID | subnet-fc21da8b
PublicSubnet2ID | subnet-7956f31c
PublicSubnet3ID | subnet-e80f14ae
QSS3BucketName | aws-quickstart
QSS3BucketRegion | us-east-1
QSS3KeyPrefix | quickstart-hashicorp-vault/
VPCCIDR | 10.50.0.0/16
VPCID | vpc-51e62f34
VaultAMIOS | CIS-Ubuntu-1604-HVM
VaultClientNodes | 0
VaultClientRoleName | vault
VaultInstanceType | m5.large
VaultKubernetesCertificate | -
VaultKubernetesEnable | FALSE
VaultKubernetesHostURL | https://192.168.99.100:8443
VaultKubernetesJWT | -
VaultKubernetesNameSpace | default
VaultKubernetesPolicies | default
VaultKubernetesRoleName | kube-auth-role
VaultKubernetesServiceAccount | vault-auth
VaultNumberOfKeys | 5
VaultNumberOfKeysForUnseal | 3
VaultServerNodes | 5
VaultVersion | 1.4.0
Any assistance would be very appreciated.
While the documentation states that we should use vault audit-enable file file_path=/var/log/vault_audit.logstatus
to enable audit logs, it shows a screenshot for Vault1 and does not specify that this should take place on the standby Vault2 as well.
Updated Architecture diagram
quickstart-hashicorp-vault.template
refers to /etc/cron.hourly/cloudwatch-monitoring.sh
but /etc/cron.hourly
is empty.
Reconcile Documentation to update for Vault 1.4.0
Hi there, I used this template to deploy into a new VPC but it keeps getting this error.
I selected the parameter with CIS-Ubuntu-1604-HVM
for Vault AMI. Any ideas on what is causing this error, or any troubleshooting steps I should attempt?
Hello,
It would be a nice improvement to have vault with TLS not disabled.
Contrary to the documentation provided with the Quickstart, consul is NOT installed on the Vault servers. This causes Vault startup to fail (it's pointed at 127.0.0.1).
There are only two Vault servers started; the documentation shows three.
There is only one bation host created; the documentation shows two.
The Vault HA API and Cluster addresses point at an ENI that won't attach.
What gives? This quickstart is nonfunctional as shipping.
Add fetching enterprise packages
Add Input mechanism for enterprise licenses
Ubuntu 16.04 LTS (Long Term Support) period will end on Friday, April 30, 2021
Can we get the template updated to use either Ubuntu 18.04 LTS or Ubuntu 20.04 LTS?
Convert templates from JSON to YAML
Hi,
On step 4 of https://s3.amazonaws.com/quickstart-reference/hashicorp/vault/latest/doc/hashicorp-vault-on-the-aws-cloud.pdf it says to create an ssh tunnel. I did so by doing
ssh -L 8200:10.0.3.133:8200 [email protected] -N
from the bastion host and received this error from my local machine
vault init
Error initializing Vault: Put https://127.0.0.1:8200/v1/sys/init: dial tcp 127.0.0.1:8200: getsockopt: connection refused
Reported at Forum link
On step 4 of the pdf - https://s3.amazonaws.com/quickstart-reference/hashicorp/vault/latest/doc/hashicorp-vault-on-the-aws-cloud.pdf
To initialize vault it says to start a ssh tunnel between your workstation and the bastion host.
I just wanted to point out that the sshd config on the bastion host has AllowTcpForwarding set to no, so this step will not work until changing that and restarting ssh.
Wonder if that should be added to the documentation, or the default
Solution:
We should "EnableTCPForwarding": "true"
to BastionStack
in quickstart-hashicorp-vault-master.template
Vault Update to latest version v1.2.2
Thanks.
We wish to add and ELB
I get the Permission denied (publickey) error when I ssh from bastion host to any of the other instances.
I appear to be having issues with the VaultServerAutoScalingGroup stage.
I also get a similar error when trying to deploy into a new VPC but that is already covered under #57.
Checking into the stack after the error shows that the hosts were built, and they appear healthy in the auto scaling group. Any ideas on what is causing this step to fail, or any troubleshooting steps I should attempt?
Parameters used:
ACMSSLCertificateArn |
AccessCIDR | 0.0.0.0/0 | -
BastionSecurityGroupID | sg-09346cbab09740be0 | -
DomainName | vault.fqdn.com (redacted) | -
HostedZoneID | REDACTED | -
KeyPairName | vault-cluster | -
LoadBalancerType | External | -
PrivateSubnet1ID | subnet-ff21da88 | -
PrivateSubnet2ID | subnet-6956f30c | -
PrivateSubnet3ID | subnet-e20f14a4 | -
PublicSubnet1ID | subnet-fc21da8b | -
PublicSubnet2ID | subnet-7956f31c | -
PublicSubnet3ID | subnet-e80f14ae | -
QSS3BucketName | aws-quickstart | -
QSS3BucketRegion | us-east-1 | -
QSS3KeyPrefix | quickstart-hashicorp-vault/ | -
VPCCIDR | 10.50.0.0/16 | -
VPCID | vpc-51e62f34 | -
VaultAMIOS | CIS-Ubuntu-1604-HVM | -
VaultClientNodes | 1 | -
VaultClientRoleName | hashicorp-vault-client-role-iam | -
VaultInstanceType | m5.large | -
VaultKubernetesCertificate | - | -
VaultKubernetesEnable | false | -
VaultKubernetesHostURL | https://192.168.99.100:8443 | -
VaultKubernetesJWT | - | -
VaultKubernetesNameSpace | default | -
VaultKubernetesPolicies | default | -
VaultKubernetesRoleName | kube-auth-role | -
VaultKubernetesServiceAccount | vault-auth | -
VaultNumberOfKeys | 5 | -
VaultNumberOfKeysForUnseal | 3 | -
VaultServerNodes | 3 | -
VaultVersion | 1.4.0 | -
As per the Archive Checksum Verification section on https://www.hashicorp.com/security the install_vault function in https://github.com/aws-quickstart/quickstart-hashicorp-vault/blob/master/scripts/functions.sh should be updated with the following.
Some variables and other files will need to be downloaded during installation, so the below is somewhere between bash snippets and pseudocode.
readonly vault_gpg_key="..."
echo -e "${vault_gpg_key}" | gpg --import -
gpg --batch --verify "vault_${vault_version}_SHA256SUMS.sig" "vault_${vault_version}_SHA256SUMS"
grep "${vault_filename}" "vault_${vault_version}_SHA256SUMS" | sha256sum -c
Add support for Vault 1.6
Adjust the leader election process since this can now be dynamically configured in the vault server config
When launching the hashi vault quickstart for a new VPC I am getting errors during the linux bastion host stage of the overall deployment. The stack for the linux bastion host is erroring out at the BastionAutoScalingGroup resource with the message "Received 1 FAILURE signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement". Even though this message happens the EC2 instance for the AutoScaling group successfully launches.
I have tried launching this quickstart in the us-east-1 and us-west-2 regions with the same results.
I also tried just launching the linux bastion quickstart on its own. I used the same S3 bucket and prefix parameters as the Hashi quickstart is passing in and the quickstart fails with the same error. If I launch the linux bastion quickstart using the default AWS parameters then the quickstart for the linux bastion host launches successfully.
I was able to successfully launch the Hashi vault quickstart back at the beginning of April so have not always seen this error.
Let me know if there is any more info I can provide which will help.
The parameters required for ACM Certificates need to checked before launching the stack.
This should help others avoid issues like #69.
The next iteration of the Vault reference is a major rewrite and will have significant changes. Lets issues detail the suggested approach. Once concourses is reached between @dcallao (HashiCorp) and AWS (@avattathil @gargana) We can move to an alpha sprint
We wish to automatically generate the SSL certificate within CFN for use with the ELB
Need submodule quickstart-aws-acm-certificate updated to get python37 update
Repo currently points to https://github.com/aws-quickstart/quickstart-aws-acm-certificate/blob/17e712a6989e9fb514b293eb61fd90870f98629a/templates/quickstart-aws-acm-certificate.template.yml#L164
Latest quickstart-aws-acm-certificate has py3 updated:
[Note: my initial report was regarding /etc/awslogs.conf
-- this file exists on Vault1, but I looked at /etc/init.d/awslogs
and found that /var/awslogs/etc/awslogs.conf
is the conf being used.]
The documentation says that CloudWatch Logs will stream to Vault-Audit-Logs
but /var/awslogs/etc/awslogs.conf
is not set up properly.
On Vault1 it has an empty log_group_name
:
[general]
state_file = /var/awslogs/state/agent-state
[/var/log/syslog]
file = /var/log/vault_audit.logstatus
log_group_name =
log_stream_name = {instance_id}
datetime_format = %b %d %H:%M:%S
On Vault2 it has the VAULT_LOG_GROUP token still in place:
[general]
state_file = /var/awslogs/state/agent-state
[/var/log/syslog]
file = /var/log/vault_audit.logstatus
log_group_name = __VAULT_LOG_GROUP__
log_stream_name = {instance_id}
datetime_format = %b %d %H:%M:%S
Convert Vault reference to YAML
Hi,
As this module use doesn't use tls it is not possible to use TLS authentication. There is an error:
tls connection is required
Step to reproduce:
# With Powershell on Windows
$vaulturl = "https://example.com"
$certpath = "Subject of a client cert in Windows Store"
$secret = "secret/test/test"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::My, [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
$cert.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$result = $cert.Certificates.Find([System.Security.Cryptography.X509Certificates.X509FindType]::FindBySubjectDistinguishedName, $certpath, $false)
$cert.Close()
json = (Invoke-WebRequest -Uri "$vaulturl/v1/auth/cert/login" -Method 'POST' -Certificate $result[0] -UseBasicParsing).Content | ConvertFrom-Json
(Invoke-WebRequest -Headers @{"X-Vault-Token" = $json.auth.client_token} -ContentType "application/json" -Method 'GET' -Uri "$vaulturl/v1/$secret" -UseBasicParsing).Content
tls connection is required
We would like to deploy Vault in the same VPC for which we would like to have Log group name to be unique.
I am using the quickstart to deploy vault from AWS console, deploy to existing VPC, error on this step:
CopyZipsTemplate | CREATE_FAILED | S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html
The CloudFormation should create the stack under my role, and the S3 bucket was created under my login, and I have full control of this bucket,
Hi,
The quickstart-hashicorp-vault-master.template is unable to run and rolls back with the following error:
Parameters: [QuickStartS3URL, AvailabilityZones] do not exist in the template
Vault is currently on version 1.5.3
.
This currently only allows for version 1.4
Possibly add the ability to specify latest
as a version?
The echo does not use the correct variable name.
Update to vault 1.4 including best practices
Add ACM SSL Certificate and ALB
Add a raft snapshot after the leader has been bootstrapped.
Enable Kubernetes Auth mechanism on Vault Cluster
Allow for selection of CIS Ubuntu Linux 16.04 LTS Benchmark or a base image
Hello,
I'm attempting to deploy this stack in GovCloud (us-gov-west-1), when entering the template URL (https://aws-quickstart.s3.amazonaws.com/quickstart-hashicorp-vault/templates/quickstart-hashicorp-vault-master.template) and validating the stack via "View/Edit template in Designer", I'm receiving the error:
Cannot open this file because of an error.: https://aws-quickstart.s3.amazonaws.com/quickstart-hashicorp-vault/templates/quickstart-hashicorp-vault-master.template must reference a valid S3 object to which you have access.
When running the stack I get an immediate:
CREATE_FAILED | AWS::CloudFormation::Stack | VPCStack | S3 error: Access Denied ...
I have attempted to create an IAM role for CloudFormation to use with appropriate permissions and that too fails. Any help/pointers would be appreciated. Thanks~
The bootstrap script on Vault instances fails due to missing objects in S3, effectively breaking the entire quickstart CFN deployment.
+ wget https://s3.amazonaws.com/aws-quickstart/quickstart-hashicorp-vault/submodules/quickstart-hashicorp-consul/scripts/consul_client_bootstrap.sh
--2019-10-16 17:20:45-- https://s3.amazonaws.com/aws-quickstart/quickstart-hashicorp-vault/submodules/quickstart-hashicorp-consul/scripts/consul_client_bootstrap.sh
Resolving s3.amazonaws.com (s3.amazonaws.com)... 54.231.48.251
Connecting to s3.amazonaws.com (s3.amazonaws.com)|54.231.48.251|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2019-10-16 17:20:45 ERROR 404: Not Found.
+ chmod 755 ./consul_client_bootstrap.sh
chmod: cannot access './consul_client_bootstrap.sh': No such file or directory```
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.