mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/deploy/run-as-service.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

239 lines
7.0 KiB
Plaintext
Raw Permalink Blame History

---
layout: docs
page_title: Run Vault as a service
description: >-
Configure and deploy Vault as a service for Linux or Windows.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# Run Vault as a service
Instead of starting your Vault server manually from the command line, you can
configure a service to start Vault automatically.
## Before you start
- **You must install Vault**. You can [use a package manager](/vault/install)
or [install a binary manually](/vault/docs/install/install-binary).
## Step 1: Create a new service
<Tabs>
<Tab heading="Linux shell" group="nix">
<Highlight title="Example tested on Ubuntu 22.04">
The following service definition is a simpler version of the `vault.service`
example in the Vault GitHub repo: [vault/.release/linux/package/usr/lib/systemd/system/vault.service](https://github.com/hashicorp/vault/blob/main/.release/linux/package/usr/lib/systemd/system/vault.service)
</Highlight>
1. Set the `VAULT_CONFIG` environment variable to your Vault configuration
directory. The default configuration directory is `/etc/vault.d`:
```shell-session
$ VAULT_CONFIG=/etc/vault.d
```
1. Confirm the path to your Vault binary:
```
$ VAULT_BINARY=$(which vault)
```
1. Create a `systemd` service called `vault.service` that uses the Vault
binary:
```shell-session
$ sudo tee /lib/systemd/system/vault.service <<EOF
[Unit]
Description="HashiCorp Vault"
Documentation="https://developer.hashicorp.com/vault/docs"
ConditionFileNotEmpty="${VAULT_CONFIG}/vault.hcl"
[Service]
User=vault
Group=vault
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=${VAULT_BINARY} server -config=${VAULT_CONFIG}/vault.hcl
ExecReload=/bin/kill --signal HUP
KillMode=process
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target
EOF
```
1. Change the permissions on `/lib/systemd/system/vault.service` to `644`:
```shell-session
$ sudo chmod 644 /lib/systemd/system/vault.service
```
</Tab>
<Tab heading="Powershell" group="ps">
The Windows binary for Vault does not support the Windows Service Application
API. To run Vault as a service, you must use a Windows service wrapper. You can
use whatever wrapper is appropriate for your environment, but the easiest we
have found is `nssm`.
1. Download and install [`nssm`](https://nssm.cc/) manually or install the
package with [Chocolatey](https://chocolatey.org/):
```powershell
choco install nssm
```
1. Set a `VAULT_HOME` environment variable to your preferred Vault home
directory. For example, `c:\Program Files\Vault`:
```powershell
$env:VAULT_HOME = "${env:ProgramFiles}\Vault"
```
1. Use `nssm` to create a new Windows service:
```powershell
nssm install MS_VAULT "${env:VAULT_HOME}\vault.exe"
```
1. Set the working directory for your Vault installation:
```powershell
nssm set MS_VAULT AppDirectory "${env:VAULT_HOME}" ; `
nssm set MS_VAULT AppParameters "server -config Config\vault.hcl"
```
1. Define the runtime parameters for Vault, including the
`-config` flag with the relative path to your Vault configuration file, for
example `Config\vault.hcl`:
```powershell
nssm set MS_VAULT AppDirectory "${env:VAULT_HOME}" ; `
nssm set MS_VAULT AppParameters "server -config Config\vault.hcl"
```
1. Set the display name and description for the "Services"
management console:
```powershell
nssm set MS_VAULT DisplayName "Vault Service" ; `
nssm set MS_VAULT Description "Vault server running as a service"
```
1. Set the startup type for your service. We recommend setting startup to
"Manual" until you confirm the service is working as expected:
```powershell
nssm set MS_VAULT Start SERVICE_DEMAND_START
```
1. Configure the service to pipe information from `stdout` and `stderr` to files
under your logging directory, for example `${env:VAULT_HOME}\Logs`:
```powershell
nssm set MS_VAULT AppStdout "${env:VAULT_HOME}\Logs\vault-stdout.log" ; `
nssm set MS_VAULT AppStderr "${env:VAULT_HOME}\Logs\vault-error.log"
```
1. Optionally, you can use the `AppEnvironmentExtra` parameter to set relevant
variables for the service environment. For example, to set the `VAULT_ADDR`
environment variable:
```powershell
nssm set MS_VAULT AppEnvironmentExtra `$env:VAULT_ADDR=https://localhost:8200
```
1. Confirm your Vault service settings with `nssm`:
```powershell
nssm dump MS_VAULT | Foreach {$_ -replace '.+nssm\.exe ',''}
```
</Tab>
</Tabs>
## Step 2: Start the new service
<Tabs>
<Tab heading="Linux shell" group="nix">
1. Reload the `systemd` configuration:
```shell-session
$ sudo systemctl daemon-reload
```
1. Start the Vault service:
```shell-session
$ sudo systemctl start vault.service
```
1. Verify the service status:
```shell-session
$ systemctl status vault.service
vault.service - "HashiCorp Vault"
Loaded: loaded (/lib/systemd/system/vault.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2024-09-05 13:58:45 UTC; 4s ago
Docs: https://developer.hashicorp.com/vault/docs
Main PID: 3145 (vault)
Tasks: 8 (limit: 2241)
Memory: 23.6M
CPU: 200ms
CGroup: /system.slice/vault.service
└─3145 /usr/bin/vault server -config=/etc/vault.d/vault.hcl
```
</Tab>
<Tab heading="Powershell" group="ps">
<Highlight title="Use Powershell commands or wrapper commands to manage your service">
Once you create the service, you can control it using standard `*-Service`
cmdlets **or** the relevant commands for the associated wrapper. For example,
to control the service with `nssm` use `nssm start MS_VAULT`.
</Highlight>
1. Start the Vault service::
```powershell
Start-Service -Name MS_VAULT
```
1. Confirm service status:
```powershell
Get-Service -Name MS_VAULT
Status Name DisplayName
------ ---- -----------
Running MS_VAULT Vault Service
```
</Tab>
</Tabs>
## Step 3: Verify the service is running
To confirm the service is running and your Vault service is available, open the
Vault GUI in a browser at the default address:
[http://localhost:8200](http://localhost:8200)
## Related tutorials
The following tutorials provide additional guidance for installing Vault and
production cluster deployment:
- [Day One Preparation](/vault/tutorials/day-one-raft)
- [Recommended Patterns](/vault/tutorials/recommended-patterns)
Reference in New Issue View Git Blame Copy Permalink