Hashicorp Vault Secret Manager
Configuring Vault is deprecated in Database 7.0. Secret Agent is the recommended way to fetch secrets from Vault.
Hashicorp Vault supports multiple secret engines. Secret Agent supports fetching secrets from KV (V2) Secrets Engine only.
Secret Agent can use one of the following authentication methods to authenticate with the Hashicorp Vault server:
Token auth method
This method authenticates you with a Vault token. You must generate a Vault token and store it in a file. Secret Agent reads the token from the file and uses it to authenticate. The token file is read for every fetch request. If the token is changed in a file, Secret Agent uses the new token for the subsequent fetch request. The file should have appropriate permissions so that only Secret Agent can read the token.
Sample configuration file for token auth method:
service: tcp: endpoint: 0.0.0.0:3005
secret-manager: vault: endpoint: http://127.0.0.1:8200 token-file: /path/to/token/file namespace: asd # (optional) Vault Enterprise namespace convert-to-base64: false resources: mount: mysecrets secret: TestingSecret version: 0 # 0 means latest versionlog: level: info
Use the following steps to configure Secret Agent to use token auth method:
- Enable KV (V2) Secrets Engine in Vault with mount (path) as
mysecrets
. - Create a secret under
mysecrets
mount. In this example, the secret is namedTestingSecret
. - Add one or more key-value pairs to the secret
TestingSecret
. - Generate a Vault token and store it in a file. In this example, the token is stored in
/path/to/token/file
. - Install Secret Agent on the machine.
- Configure Secret Agent to fetch secrets from Vault.
- Start Secret Agent.
- Use the Secret Agent endpoint to fetch secrets.
Username/password auth method
To authenticate with Vault using a username and password, you must create a username and password in Vault and store the password in a file. Secret Agent reads the password from the file and uses it to authenticate with Vault. Users must specify the username in the configuration file.
When Secret Agent uses this method to authenticate with Vault, it creates a Vault token and uses it to fetch secrets. If the token is renewable, Secret Agent automatically renews the token before it expires. If the token is not renewable, Secret Agent automatically creates a new token when the existing token expires, using the same username and password.
Sample configuration file for username/password auth method:
service: tcp: endpoint: 0.0.0.0:3005secret-manager: vault: endpoint: http://127.0.0.1:8200 username: testuser password-file: /path/to/password/file namespace: asd # (optional) Vault Enterprise namespace convert-to-base64: false resources: mount: mysecrets secret: TestingSecret version: 0 # 0 means latest version
Use the following steps to configure Secret Agent to use Username/password auth method:
- Enable KV (V2) Secrets Engine in Vault with mount (path) as
mysecrets
. - Create a secret under
mysecrets
mount. In this example, the secret is namedTestingSecret
. - Add one or more key-value pairs to the secret
TestingSecret
. - Create a username and password in Vault. In this example, the username is
testuser
and the password is stored in/path/to/password/file
. - Verify that
testuser
is attached with appropriate policies to read the secretTestingSecret
. - Install Secret Agent on the machine.
- Configure Secret Agent to fetch secrets from Vault.
- Start Secret Agent.
- Use the Secret Agent endpoint to fetch secrets.
Sample Vault policy to read the secret TestingSecret
:
path "mysecrets/*" { capabilities = ["read", "list"]}
TLS certificates auth method
This is a secure method as no tokens or passwords are stored in any file on the machine. TLS certificates auth method allows authentication using SSL/TLS client certificates which are either signed by a CA or self-signed. Vault server determines if there is a matching certificate to authenticate the Secret Agent. If the Secret Agent is authenticated, the auth method returns a token. Renewal of the token is same as mentioned in the previous section.