Skip to main content
In this tutorial, you’ll use Packer to bake a custom Amazon Machine Image (AMI) with Vault 1.7.1 pre-installed. We’ll walk through cloning the repo, configuring the Packer template, downloading Vault, building the AMI, and launching an EC2 instance.
The image shows a GitHub repository page for "btkrausen/hashicorp," featuring folders and files related to HashiCorp projects and training. The repository includes recent commits and a README file describing its purpose.
This repository (github.com/bryankrausen/hashicorp) contains all my HashiCorp training content—Terraform, Vault, Packer, and more—plus discount links and coupons.
The image shows a list of discounted training courses related to HashiCorp, with details such as course links, coupon codes, prices, and validity dates.

Repository Structure

Navigate to the vault/packer directory. You’ll find: ‐ vault.pkr.hcl: Packer HCL2 template
files/: Vault configuration examples
The image shows a GitHub repository page for "hashicorp/vault/packer" with files related to a Packer build for Vault. It includes a file named "vault.pkr.hcl" and a folder named "files."
Inside files/:
FilenameDescription
vault.hclVault server configuration
vault.servicesystemd unit file for Vault
vault_int_storage.hclExample using integrated storage
The image shows a GitHub repository page for "hashicorp/vault/packer/files" with three files listed: "vault.hcl," "vault.service," and "vault_int_storage.hcl," all updated 23 hours ago.

1. Download Vault 1.7.1

Head to the official release page and grab the Linux ZIP: 
https://releases.hashicorp.com/vault/1.7.1/vault_1.7.1_linux_amd64.zip
Example listing on the download page: 
vault_1.7.1_SHA256SUMS
vault_1.7.1_linux_amd64.zip
vault_1.7.1_darwin_amd64.zip
Make sure to verify the SHA256 checksum to ensure file integrity.

2. Configure the Packer Template

Open vault.pkr.hcl and define:
  1. Variables (AWS region, VPC/Subnet IDs, path to Vault ZIP)
  2. Data source for Amazon Linux 2 AMI
  3. amazon-ebs source block
  4. Provisioners to upload and install Vault
variable "aws_region" {
  type    = string
  default = env("AWS_REGION")
}

variable "vault_zip" {
  type    = string
  default = "/path/to/vault_1.7.1_linux_amd64.zip"
}

variable "vpc_id" {
  type    = string
  default = "vpc-xxxx"
}

variable "subnet_id" {
  type    = string
  default = "subnet-xxxx"
}

data "aws_ami" "amazon_linux_2" {
  most_recent = true
  owners      = ["amazon"]

  filter {
    name   = "name"
    values = ["amzn2-ami-hvm-*-x86_64-gp2"]
  }
}

source "amazon-ebs" "vault-amzn2" {
  region                      = var.aws_region
  ami_name                    = "vault-amazonlinux2-{{timestamp}}"
  instance_type               = "t2.micro"
  source_ami                  = data.aws_ami.amazon_linux_2.id
  ssh_username                = "ec2-user"
  associate_public_ip_address = true
  subnet_id                   = var.subnet_id
  vpc_id                      = var.vpc_id
  tags = {
    Name = "HashiCorp Vault"
    OS   = "Amazon Linux 2"
  }
}

build {
  sources = ["source.amazon-ebs.vault-amzn2"]

  provisioner "file" {
    source      = var.vault_zip
    destination = "/tmp/vault.zip"
  }

  provisioner "file" {
    source      = "files/"
    destination = "/tmp"
  }

  provisioner "shell" {
    inline = [
      "unzip /tmp/vault.zip -d /usr/local/bin",
      "chmod +x /usr/local/bin/vault",
      "mkdir -p /etc/vault.d",
      "mv /tmp/vault.hcl /etc/vault.d/",
      "mv /tmp/vault_int_storage.hcl /etc/vault.d/",
      "mv /tmp/vault.service /etc/systemd/system/",
      "systemctl daemon-reload",
      "systemctl enable vault"
    ]
  }
}

3. Set AWS Variables

Retrieve your VPC and Subnet IDs from the AWS VPC console:
The image shows an AWS console interface displaying details of a Virtual Private Cloud (VPC) named "demo_vpc," including its ID, state, and CIDR information. The left sidebar lists various VPC-related options like subnets and route tables.
You can either update the default values in vault.pkr.hcl or pass them at build time: 
packer build \
  -var aws_region=us-east-1 \
  -var vpc_id=vpc-123456 \
  -var subnet_id=subnet-abcdef \
  vault.pkr.hcl

4. Validate & Build the AMI

packer validate vault.pkr.hcl
packer build vault.pkr.hcl
Packer will launch a builder EC2 instance, upload your files, install Vault, and register a new AMI. 
amazon-ebs.vault-amzn2: Creating AMI: vault-amazonlinux2-<timestamp> from instance i-0b8...
...
amazon-ebs.vault-amzn2: Builds finished. The artifacts of successful builds are:

5. Verify the Builder Instance

In the EC2 console, watch the temporary Packer builder instance spin up and terminate:
The image shows an AWS EC2 management console with two running instances, one named "Packer Builder." The console displays details such as instance IDs, types, and status checks.

6. Check the New AMI

Under EC2AMIs, confirm your vault-amazonlinux2-* AMI is available:
The image shows the AWS EC2 Management Console, specifically the AMIs (Amazon Machine Images) section, displaying details of a selected AMI.

7. Launch & Validate an Instance

  1. Launch: Select the custom AMI, choose T2 Micro, enable public IP.
  2. Security Group: Open SSH (port 22) from your IP.
The image shows the "Configure Instance Details" step in the AWS EC2 launch instance wizard, where various settings like network, subnet, and IAM role are being configured.
The image shows the AWS EC2 instance launch wizard, specifically the "Configure Security Group" step, where a security group is being set up with SSH access. A warning is displayed about allowing all IP addresses to access the instance.
SSH into the new instance and verify Vault: 
ssh -i key.pem ec2-user@<public-ip>
sudo systemctl status vault
vault version
# Vault v1.7.1 (971142289796a60d0d96d0d06a0590e44e)
Congratulations—you now have a reusable AMI with Vault 1.7.1 installed!

Watch Video