Enabling encryption with the token authentication using HashiCorp Vault(manual part)

Configure token settings in vault server.


  1. Enable the Key/Value (KV) backend path in Vault. Run the following command for Vault KV secret engine API, version 2, as it supports only version 2.
    vault secrets enable -path=odf kv-v2
    This is a one time settings. You can get the token from vault administrator directly, or you can login vault server and create a token with following steps. Use an unique path name as the backend path that follows the naming convention. You cannot change it later.
    Note: The example uses backend path odf.
  2. Create a policy with certain permission on the secret using the following commands.
    echo '
    path "odf/*" {
      capabilities = ["create", "read", "update", "delete", "list"]
    path "sys/mounts" {
    capabilities = ["read"]
    }'| vault policy write odf -
  3. Create a token matching the policy.
    vault token create -policy=odf -format json

    Example output:

    Take a note for the auth.client_token

    # vault token create -policy=odf -format json
    "request_id": "e7103f23-c67c-2412-77b0-b92a728fd5fd",
    "lease_id": "",
    "lease_duration": 0,
    "renewable": false,
    "data": null,
    "warnings": null,
    "auth": {
        "client_token": "hvs.CAESILkFSEnBgMgE0JxdbnBf_VUPxlvhCPTBBdx30jlbMfiMGh4KHGh2cy5QeFZVWnhOWGMxdlhvSU5YU0tNRjBBVGo",
        "accessor": "IFNbUOwWAzg5cyiUZGVlvf5o",
        "policies": [
        "token_policies": [
        "identity_policies": null,
        "metadata": null,
        "orphan": false,
        "entity_id": "",
        "lease_duration": 2764800,
        "renewable": true,
        "mfa_requirement": null