Unfriendly Grinch

Stepping Up My Game With Vault Operations Professional

Posted on Mar 22, 2022 | By Elif Samedin | 10 minutes read

HashiCorp has recently announced the new Vault Operations Professional exam. What makes this one different from its ‘sibling’ (Vault Associate) is that it is mainly hands-on.

I was invited to participate in the Beta phase of this and took the exam mid-January. I’d say it is a tough one, however highly rewarding. 4 hours. Several scenarios to tackle in order to complete the requirements or to answer certain questions based on the provided environment.

HashiCorp Certified: Vault Operations Professional Badge

How Does it Look Like?

Vault Operations Professional is designed for Cloud Engineers who have comprehensive knowledge in deploying, configuring, managing, and monitoring Vault cluster(s) in a production environment. It is recommended to have either passed the Vault Associate Certification or to have some experience in administering Vault because the objectives of Vault Operations Professional are built on top of the other.

The prerequisites of this include:

  • Basic Linux commands. One should be able to understand and use essential tools for handling files.
  • Basic Networking skills.
  • Basic container management operations.

The objectives of Vault Operations Professional Certification are mainly comprised of:

  1. Create a working Vault server configuration given a scenario
  2. Monitor a Vault environment
  3. Employ the Vault security model
  4. Build fault-tolerant Vault environments
  5. Understand the hardware security module (HSM) integration
  6. Scale Vault for performance
  7. Configure access control
  8. Configure Vault Agent

Each of these is further detailed in the Review Guide.

One should expect three types of questions:

  • Hands-on

There are 4 scenarios, each of these will ask you to perform certain actions on the provided environments.

  • Multiple-Choice Questions (MCQ)

You are expected to select only the correct answer(s) from the provided options.

  • ‘Hybrid’ Questions

You are expected to inspect the provided environment in order to get the correct answer(s) to the multiple-choice question.

Getting Ready…

I started working with HashiCorp Vault about a year ago. Firstly, I regarded it only as Guardian of the Secrets. However, it’s not only that.

Driven by both curiosity and need, I did start getting to know better how to use Vault to the fullest and how in it integrated in my day to day activities.

You may ask yourself why take an exam, why spend both effort and time in order to study for. And these are valid questions. However, it’s not about the destination, it’s the journey that’s far more important.

In my opinion, such a journey is about refining technical knowledge and skills and gaining a better understanding about modern Infrastructures.

As you can imagine, the real challenge of the Vault Operations Professional Certification centers on the 4 hands-on scenarios the candidate is to complete. These are based on:

Initializing a Vault node using Integrated Storage

In order to practice this objective, I have developed my own setup based on Ansible, Packer and Terraform.

HA Vault Enterprise Cluster

I have used Packer in order to build a Golden Image with Vault pre-installed and I have deployed this image using Terraform. In the end, I got a HA Vault (Enterprise) Cluster with 3 nodes. I have discussed about a closely similar setup at the Softbinator Foundation Talk #156.

The above setup could use either the open-source or Enterprise versions of Vault. However, as the objectives also revolve around the Enterprise features, I would encourage you to request a 30-day Free Trial License.

Authentication Methods and Secret Engines

This is an exhaustive objective as Vault has a multitude of auth methods. Moreover, despite the fact that the Study Guide does not clearly mention this, the token concept is of the utmost importance because the token auth method is automatically at the /auth/token path. Additionally, when a client authenticates with Vault using any other auth method, Vault creates a new unique token for that client by invoking the token auth method.

The Vault Associate Certification covers these concepts to such extent to validate a certain working knowledge. However, Vault Operations Professional takes it further and the candidate is expected to be able to properly manage tokens within Vault.

My recommendation is to practice extensively how:

  • to generate various types of tokens, e.g. tokens with a certain use limit, short-lived tokens, periodic service tokens, orphan tokens, batch tokens,
  • to renew service tokens, and
  • to revoke service tokens.

And as authentication and authorization are two tightly coupled and interrelated concepts, you should be able to write both ’traditional’ ACL Policies and Sentinel Policies which grant or restrict access to certain paths and operations within Vault.

Vault Enterprise Replication

The purpose of Replication is to enable organizations to scale horizontally and to have a Disaster Recovery (DR) strategy in place.

You should be able to set up both Disaster Recovery and Performance Replication and decide which one is suitable in a certain case.

Vault Agent and Templating

This is by far one of the topics I have enjoyed the most because this client-side daemon aids in the interaction of our applications with Vault by providing the following functionalities:

  • Automatic authentication to Vault (a process known as auto-auth)
  • Lifecycle management of the tokens received from auto-auth. This includes renewal of the token and re-authentication in case this has reached its maximum TTL and can no longer be renewed.
auto_auth {
        method "kubernetes" {
            mount_path = "auth/kubernetes"
            config = {
                role = "example"
            }
        }

        sink "file" {
            config = {
                path = "/home/vault/.vault-token"
            }
        }
    }
  • Render either dynamic or static secrets to files using templates
template {
destination = "/etc/secrets/index.html"
contents = <<EOT
<html>
<body>
<p>Some secrets:</p>
{{- with secret "secret/myapp/config" }}
<ul>
<li><pre>Username: {{ .Data.username }}</pre></li>
<li><pre>Password: {{ .Data.password }}</pre></li>
</ul>
{{ end }}
</body>
</html>
EOT
}

I’m not going to thoroughly explain all the features that the Vault Agent provides us with. This might actually be the subject of another article.

However, I’ll point you to the Take Control of Your Data by Integrating Hashicorp Vault repository where I have explored in depth how to leverage the Vault Agent in the Kubernetes ecosystem.

One of the reasons behind this is that by default, secrets in Kubernetes are stored in plain text in etcd. Depending on the circumstances, it may pose a significant risk because anyone having cluster administration privileges will be able to read all the secrets in the cluster. And I’ve said enough! I’ll let you find out how Vault Agent addresses this concern.

Wrapping it Up…

The Vault Operations Professional objectives cover many topics related to both open-source and Enterprise versions and one needs extensive hands-on experience with implementing and maintaining Vault cluster(s) in a production environment.

As the examination is mainly hands-on, it represents a shift from what HashiCorp has done until now regarding the certifications it has developed. In my opinion, by adopting such an approach, HashiCorp aims to vet highly skilled professionals and build a Community of Excellence governed by the Tao of HashiCorp.

References