Overview
OpenBao secrets engines
The built-in OpenBao web UI on port 8200 listing the enabled secrets engines after signing in with the generated root token.
OpenBao secrets engines
OpenBao key value secret
OpenBao auth methods
This is a repackaged open source software product wherein additional charges apply for cloudimg support services.
Overview
OpenBao is an open source, community-driven secrets management platform: a Linux Foundation project and the MPL-2.0 licensed fork of Vault. It centrally stores, accesses, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets, and provides encryption as a service so applications never have to handle raw keys. This image delivers OpenBao fully installed and configured as a system service backed by integrated raft storage, so a working secrets engine is running within minutes of launch.
Application Stack
- Single static bao server binary installed under /usr/local/bin, run by a dedicated unprivileged service account
- Encrypted secret store on integrated raft storage on a dedicated data disk, independently resizable
- A systemd service that starts the server on boot, initializes it on first boot, and automatically unseals it after a reboot
- Built-in web UI and the full HTTP API published on port 8200
Secrets Management
Enable secrets engines for key/value secrets, dynamic database credentials, PKI certificate issuance, SSH, transit encryption as a service, and more. Authenticate with tokens, AppRole, userpass, JWT/OIDC, or cloud auth methods, and govern every path with fine-grained policies. Drive everything from the web UI, the bao CLI, or the HTTP API.
Secure First Boot
On the first boot of your instance a one-shot service initializes the store, captures the single unseal key and the initial root token unique to that instance, unseals the server, and writes both to a root-only file. No shared or default credentials, no pre-initialized store, and no preset unseal key ship in the image.
Auto Unseal Across Reboots
A dedicated service re-unseals the server automatically after every reboot so the appliance returns to a healthy, ready state unattended. The included user guide documents switching to AWS KMS auto-unseal and enabling TLS for production deployments.
Concrete Use Case: Dynamic Database Credentials in CI/CD
A platform team running GitHub Actions or GitLab CI pipelines enables the database secrets engine to issue short-lived PostgreSQL credentials per job. Each pipeline step requests a unique credential scoped to the exact tables it needs, and the credential is automatically revoked when the lease expires. This eliminates long-lived database passwords stored in environment variables and reduces blast radius if a pipeline is compromised - ideal for teams managing dozens to hundreds of microservices.
cloudimg Support
24/7 technical support by email and live chat. Our engineers help with deployment, secrets engine and auth method configuration, policies, PKI, transit encryption, AWS KMS auto-unseal, TLS, raft storage, and backup. Critical issues receive a one-hour average response.
Additional Use Cases
- A central secrets store for applications and CI/CD pipelines
- Dynamic, short-lived database and cloud credentials
- PKI and internal certificate authority
- Encryption as a service via the transit engine
- A drop-in open source alternative to Vault for teams that need an MPL-2.0 licence
Getting Started
Launch the AMI, wait for the systemd initialization to complete, then access the web UI at https://your-instance-ip:8200 . Retrieve your unique root token from the root-only file documented in the user guide and begin configuring secrets engines and auth methods immediately. Consult the included user guide for production hardening steps including AWS KMS auto-unseal and TLS termination.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
Highlights
- OpenBao secrets management and encryption as a service, fully installed and running as a systemd service within minutes of launch. Built-in web UI and HTTP API on port 8200 over integrated raft storage on a dedicated, independently resizable data disk. Zero manual setup required - just launch the instance and start managing secrets immediately.
- Hardened security from first boot: the appliance initializes the store and generates a unique root token and unseal key per instance, written to a root-only file. No shared credentials, no pre-initialized store, and no preset keys ship in the image. A dedicated systemd service automatically re-unseals the server after every reboot so the appliance returns to a ready state unattended.
- Linux Foundation MPL-2.0 open source fork of Vault with a documented production path including AWS KMS auto-unseal and TLS termination. Backed by 24/7 cloudimg technical support with one-hour average response for critical issues. An ideal drop-in alternative for teams needing an open source secrets manager with enterprise-grade support.
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Free trial
- ...
Dimension | Description | Cost/hour |
|---|---|---|
t3.medium Recommended | t3.medium | $0.04 |
t3.micro | t3.micro instance type | $0.04 |
t2.micro | t2.micro instance type | $0.04 |
c5d.4xlarge | c5d.4xlarge instance type | $0.24 |
i7i.16xlarge | i7i.16xlarge instance type | $0.24 |
c8i.2xlarge | c8i.2xlarge instance type | $0.24 |
c6in.24xlarge | c6in.24xlarge instance type | $0.24 |
c6a.large | c6a.large instance type | $0.08 |
i3en.3xlarge | i3en.3xlarge instance type | $0.24 |
m6a.24xlarge | m6a.24xlarge instance type | $0.24 |
Vendor refund policy
Refunds available on request.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Initial release of OpenBao 2.5.5 secrets management server on integrated raft storage.
Additional details
Usage instructions
Connect via SSH on port 22 as the default login user for your operating system variant (the user guide lists it per variant). The OpenBao web UI and HTTP API are served on port 8200: browse to http://<instance-public-ip>:8200/ and sign in with the Token method using the initial root token. Retrieve the root token and the unseal key with: sudo cat /root/openbao-credentials.txt. From the CLI export BAO_ADDR=http://<instance-public-ip>:8200 and run bao login with the root token, then enable secrets engines and auth methods. The encrypted store lives on a dedicated raft data disk mounted at /var/lib/openbao. For production, follow the user guide to enable TLS and switch to AWS KMS auto-unseal, then create your own admin auth method and revoke the initial root token.
Resources
Vendor resources
Support
Vendor support
cloudimg Support
cloudimg provides 24/7 technical support for this product by email and live chat.
Coverage includes:
- Deployment and initial configuration assistance
- Secrets engine and auth method setup (KV, database, PKI, SSH, transit)
- Policy authoring and access control configuration
- AWS KMS auto-unseal setup and TLS termination
- Raft storage management, snapshots, and backup
- Performance tuning and troubleshooting
- Software updates and upgrade guidance
Response Times:
Critical issues receive a one-hour average response. Our engineers work with you until the issue is resolved.
How to Get Help:
Email: support@cloudimg.co.uk Live chat: Available 24/7
For refund requests or billing inquiries, contact us via the same email address and we will respond within one business day.
Getting Started:
After launching your instance, consult the included user guide for production hardening steps. If you need assistance with initial deployment, secrets engine configuration, or migrating from another secrets manager, our support team is ready to help at no additional charge beyond your subscription.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.