Questions? Pop in our slack channel!
This BOSH release packages the excellent Vault software from Hashicorp, so that you can run your own secure credentials storage vault on your BOSH infrastructure, today!
Before you can start spinning a vault, you will need to upload the BOSH release to your director:
bosh target
bosh upload release
You can create a small, working manifest file from this git repository:
git clone
cd vault-boshrelease
./templates/make_manifest warden
bosh -n deploy
Vault should be up and running at, but it still needs some manual setup, due to security precautions.
First, you need to initialize the vault:
export VAULT_ADDR=
vault init
This generates a root encryption key for encrypting all of the secrets. At this point, the vault is sealed, and you will need to unseal it three times, each time with a different key:
vault unseal
vault unseal
vault unseal
Once unsealed, your vault should be ready for authentication with your initial root token:
vault auth
Now, you can put secrets in the vault, and read them back out:
vault write secret/handshake knock=knock
vault read secret/handshake
You may want to look at safe, an alternative command-line utility for Vault that provides higher-level abstractions like tree-based listing, secret generation, secure terminal password entry, etc.
If you put important things in your Vault, you want it to be available, so you can get those important things back out again.
Enter High Availability.
The easiest way to do high availability is to run 3 or more nodes, and use the Consul backend. To do that, you're going to need to load the Consul BOSH release from the Cloud Foundry Community:
bosh upload release
(Having, of course, targeted your BOSH director first. You did target your BOSH director first, right?)
Then, just add the consul-y bits to your deployment manifest. Here's a barebones (working) example to get you started:
name: ha-vault
- name: vault
instances: 3
resource_pool: vault
persistent_disk: 4096
- name: vault
static_ips: &ips
- { release: vault, name: vault }
- { release: consul, name: consul }
join_hosts: *ips
use_consul: true
Cloud Foundry developers/users can also access the multi-tenant Vault deployment via the Cloud Foundry service broker vault-broker
Once you have deployed vault once, initialized it, and obtained the token, you can now re-deploy Vault with the token to enable the service broker:
export VAULT_TOKEN=<TOKEN FROM vault init>
./make_manifest warden
bosh deploy
The service broker is now running on
and has default credentials vault:vault
As an example, to register it with Cloud Foundry running on the same bosh-lite:
cf create-service-broker vault vault vault