HCP Vault Operation Tasks
HashiCorp Cloud Platform (HCP) Vault provides access to critical operational tasks, such as sealing the cluster, accessing audit logs, and managing data snapshots.
In this tutorial, you will perform these operational tasks.
NOTE: This tutorial assumes that you created and connected to the HCP Vault cluster in the Create a Vault Cluster on HashiCorp Cloud Platform (HCP) tutorial.
Seal and unseal the Vault cluster
Intrusion detection or data breaches may require you to seal the Vault cluster.
WARNING: Sealing a cluster prevents all access to the cluster until it is unsealed.
NOTE: API lock replaces cluster sealing for HCP Vault deployed to Microsoft Azure. API lock behaves similar to cluster sealing by preventing normal Vault operations while allowing the HCP platform access to perform upgrades and snapshots. You can follow the Seal the cluster and the Unseal the cluster sections below and following the prompts in the HCP Portal.
Seal the cluster
Under Quick actions, click Seal this cluster.
A Seal Vault? pop-up dialog displays a warning and explanation of the seal operation.
SEALinto the Confirm seal field.
Click Seal to proceed. When it completes, the cluster state changes to Sealed.
Unseal the cluster
Click Unseal this cluster.
A pop-up dialog displays a warning and explanation of the unseal operation.
UNSEALinto the Confirm unseal field.
The Vault cluster unseals. The Vault Overview page displays the Vault configuration and available operations.
Scale an HCP Vault cluster up or down
NOTE: Scaling your HCP Vault cluster to a higher tier will increase the hourly charges for your HCP account. Please review carefully before committing any changes to your HCP Vault cluster.
HCP Vault cluster scaling allows you to scale your cluster up or down to meet organizational needs. You can scale between both cluster tiers (e.g. dev to starter, starter to standard) and cluster sizes (e.g standard small to standard medium).
NOTE: HCP Vault clusters can be scaled up from the development tier to a larger tier, however starter, standard, or plus tier clusters cannot be scaled down to the development tier.
Cluster scaling is fully managed by the HashiCorp Cloud Platform and performed with no downtime, meaning you can continue to utilize HCP Vault while the cluster is being scaled up or down. Cluster scaling is available from the HCP Portal and Terraform when using version 0.21.1 or higher of the HCP Terraform provider.
Follow these steps in the HCP Portal to scale your cluster up from the dev tier cluster created in the Create a Vault Cluster on HCP tutorial.
Navigate to the Overview page for your HCP Vault cluster.
Click Manage and then select Edit configuration.
Scroll down to view the Cluster Tier section.
Click the radio button for the Standard tier. In the Cluster Size section you will see multiple supported sizes. You can scale the HCP Vault cluster up and down between the available sizes within a tier, or scale between different tiers. You can scale up from the Development tier to another tier but you cannot scale back down to the Development tier.
Click the radio button for the Starter tier. In the Cluster Size section Small is the only size available in this tier.
The Review changes screen provides an overview of the requested changes and the pricing differences between the two tiers.
Click Apply changes. You will be returned to the Overview screen.
The cluster will begin updating. This process will take several minutes.
NOTE: If the cluster status section displays the status as Running, refresh the browser window/tab.
Wait for the cluster to complete the scale up process and then move on to the next section.
Preserving Vault data is critical to production operations and particularly for disaster or sabotage recovery purposes. Vault offers a snapshot functionality for the underlying storage to preserve data based on your requirements.
NOTE: Snapshots are not available for development tier clusters.
After completing the Scale an HCP Vault cluster up or down tutorial you can follow these steps to manually snapshot your Vault data as needed.
Click Snapshots in the left navigation pane.
The view displays a history of the snapshots created.
Click Create snapshot.
A Create snapshot pop-up dialog displays.
Enter tutorial in the Snapshot name field and click Create snapshot.
The view displays the snapshot history. The latest snapshot is appended to the snapshot list. While the snapshot is in progress it will display a Pending animation in the Status column.
NOTE: The duration of time needed for the snapshot to complete can vary and largely depends on the size the of data stored in your Vault cluster.
When the snapshot operation completes the Status changes to Stored.
NOTE: HCP persists the snapshots for up to 30 days after creation, checks every 24 hours, and prunes expired snapshots.
You can use the snapshots to restore data if it ever becomes necessary.
Click the Snapshots link in the left navigation pane.
Click the ellipsis (...) menu next to the tutorial snapshot entry, and choose Restore.
A confirmation dialog appears; enter
RESTOREand click Restore snapshot to confirm restoration.
A message will appear informing you the restore process has started.
When you need to delete data snapshots, you can do so by following these steps.
Click the Snapshots link in the left navigation pane.
Click the ellipsis (...) menu next to the tutorial snapshot, and choose Delete.
A confirmation dialog appears; enter
DELETEand click Delete snapshot to confirm snapshot deletion.
A Snapshot deleting dialog appears. Once the snapshot is deleted, it no longer appears in the snapshot list.
Access the audit log for troubleshooting
NOTE: Audit logging is not available on Development tier clusters.
Effective troubleshooting of requests and responses to Vault requires access to the audit device logs.
HCP Vault enables a File Audit Device by default. This device provides the last hour of Vault requests in a downloadable archive. These logs may be imported into your preferred tooling for auditing and troubleshooting.
From the Vault cluster overview page, click Audit Logs.
From the Audit logs view, click the Download button within the Download audit logs box. A Download audit logs pop-up dialog displays.
Use the Start date and Start time components to specify the audit log starting position. The log file will cover a 1 hour period after the date and time that you select.
Once you have selected the desired Start date and Start time, click Download audit logs.
When the archive is created, a new Download audit logs pop-up dialog displays. The archive is presented with the specific time-frame covered by the log file.
NOTE: The file is only available to download for 10 minutes; after this time elapses, you must begin the download process from the first step.
Click the download icon.
The downloaded file is a gzip compressed file. The filename contains the start
and end timestamps as part of its filename (e.g.
Refer to the HCP Vault Monitoring tutorial collection to learn how to stream out your audit logs to Datadog, Grafana Cloud, or Splunk.
Manage major version upgrades
There are scenarios where major version upgrades of the Vault cluster can potentially affect the behavior of Vault clients. For example, the returned JSON output may contain a new field. These changes may require additional testing or operational updates to leverage the enhanced behaviors.
Customers running HCP Vault on either the Standard or Plus tiers can now manage when the Vault cluster will be upgraded.
Note: Major version upgrade settings are available on either the Standard or Plus tier. If you would like to follow this tutorial, upgrade your Vault cluster to the Standard or Plus tier.
Log into the HCP Portal and navigate to the Vault Overview page.
Click the cluster ID link for a HCP Vault cluster that is on the Standard or Plus tier.
From the Vault cluster Overview page, click Settings.
Click Edit settings.
You can choose between three options to control when your cluster will be upgrade.
Automatic will upgrade the cluster as new versions of Vault are validated for HCP.
Scheduled allows you select a day and time window in which the upgrade will be performed.
Manual allows you to initiate the upgrade on any day or time of your choosing, but will be automatically upgraded after 30 days.
Select Manual and click Apply changes.
NOTE: The remainder of these steps are for demonstration purposes only. You can follow these steps after a new version of Vault becomes available.
When a cluster is set to manual, and a new upgrade is detected, you will receive a notification that an upgrade is available with a Upgrade now button.
HCP Portal users will also receive an email notification that the upgrade is available.
Click Upgrade now. A dialog will appear with a link to the changelog and upgrade guide so you can review any changes that may impact your usage of HCP Vault.
Click Upgrade now to begin the automated upgrade process.
When the upgrade process completes, a new notification will appear with a link to the release notes.
HCP Portal users will also receive an email notification that the upgrade is complete.
You learned how to perform the basic operational tasks for HCP Vault.
The next step is to set up a VPC peering or Transit Gateway connection with your HVN and your VPC where your applications are running from. You can set it up manually or via Terraform. Visit the HCP Vault Operations collection to learn how to connect to HCP Vault clusters.
To learn how to monitor your HCP Vault cluster, visit the HCP Vault Monitoring collection.
The Policies collection lists additional tutorials that cover more advanced Vault policy examples.
Vault offers a number of secrets engines. To learn more, visit the Secrets Management collection and learn how to enable and configure secrets engines that you are interested in.
When you are ready to integrate your applications to read secrets from Vault, visit the App Integration collection for examples.