DEV Community

Cover image for Setup Vault in HA with MySQL backend in 10 minutes | Hashicorp | Tutorial | Tharun
Tharun Shiv
Tharun Shiv

Posted on

Setup Vault in HA with MySQL backend in 10 minutes | Hashicorp | Tutorial | Tharun

How to set up Vault in High Availability ( HA mode ) with MySQL as storage backend

In this tutorial we will look at how we can use MySQL as a backend to Vault. This setup will involve end to end TLS. We have already seen how to setup Vault with TLS frontend. We also saw how we can setup MySQL with TLS frontend. In this tutorial, we will look at how we can use TLS Enabled MySQL as a storage backend to Vault. This is a complete secure production setup.

Tutorial on how to setup Vault Dev & Production mode:

Tutorial on how to setup TLS/SSL enabled MySQL/MariaDB:

Create Vault user in MySQL

The Vault service needs credentials to login into MySQL server in order to store data and metadata in a backend. We will create this user in MySQL now.

mysql -uroot -p --ssl-ca=/etc/mysql/certs/ca.pem
<Enter password>
Enter fullscreen mode Exit fullscreen mode
# create user
CREATE USER '<vault-mysql-username>'@'%' IDENTIFIED BY '<vault-mysql-password>';

# grant privileges
GRANT ALL PRIVILEGES ON vault.* TO '<vault-mysql-username>'@'%';
Enter fullscreen mode Exit fullscreen mode

MySQL Bind Address

When setting up Vault, I came across difficulties bringing up the Vault server. I have listed the challenges and solution at the end of this post. One point I would like to address is the MySQL Bind address. This configuration of MySQL defines to which network interface the MySQL process binds to / listens on. The other clients such as Vault will be able to access MySQL by sending requests to this particular interface only.

We have seen where to set this in the below tutorial

MySQL CA Pem file

Vault server needs the CA.pem of the MySQL server that we used in the MySQL TLS setup tutorial. Copy that to a directory that vault can access

cp ~/certs/ca.pem /opt/vault/tls/mysql-ca.pem

chown -R vault: /opt/vault/tls
Enter fullscreen mode Exit fullscreen mode

Vault config

In the above tutorials we have setup Vault, now let us configure it to use MySQL Backend.


ui = true ## or false

# MySQL backend config
storage "mysql" {
  ha_enabled = "true"
  address = "<mySQL-hostname>:3306"
  username = "<vault-mysql-username>"
  password = "<vault-mysql-password>"
  database = "<vault-mysql-database>"
  #plaintext_connection_allowed = "true" #non-TLS mysql
  #path to CA.pem to verify MySQL SSL
  tls_ca_file = "<path-to-mysql-ca-pem>" 

# Vault server listen configuration
listener "tcp" {
  address       = "<vault-hostname/IP>:8200"
  tls_cert_file = "<path-to-vault-tls-cert>"
  tls_key_file  = "<path-to-vault-tls-key>"

# the address to advertise for HA purpose
Enter fullscreen mode Exit fullscreen mode

Restart Vault

Now we can go ahead export the Vault variables and restart the vault server

export VAULT_ADDR="https://<vault-server>:8200"
export VAULT_CACERT="<path-to-vault-tls-cert>"

# make sure MySQL is running and listening

# now restart / start Vault
service vault start 

# or
service vault restart

# check Vault server logs
journalctl -u vault.service 

# check Vault status
vault status
Enter fullscreen mode Exit fullscreen mode

We have successfully setup Vault with TLS frontend, TLS MySQL backend, thereby securing Vault end to end making it a perfect Production setup.

Although there are 18 ways in which a Hashicorp Vault server can be attacked, and I have covered it in the below Video

Thank you for reading, This is Tharun Shiv a.k.a Developer Tharun

Tharun Shiv

You can find more articles here:

Roadrunners is a series that is aimed at delivering concepts as precisely as possible. Here, a roadrunner is referred to as a person who does things super fast & efficiently. Are you a roadrunner?

Thank you

Discussion (1)