HashiCorp Vault
For the complete documentation index see: llms.txt
All documentation pages available in markdown.
HashiCorp Vault supports multiple secret engines. Secret Agent supports fetching secrets from the KV (V2) Secrets Engine only.
Secret Agent can authenticate with the HashiCorp Vault server using one of the following methods:
- Token auth method
- Username and password auth method
- TLS certificates auth method
- AppRole auth method
Resource entries
Under resources, each key is an alias that Aerospike Database references in
secrets:resource:key paths. Each alias
maps to a KV mount, secret path, and optional version:
resources: TestingSecret: mount: mysecrets secret: TestingSecret version: 0 # 0 means latest versionWhen only one resource alias is configured, the Resource field in Secret
Agent protocol requests is optional.
Token auth method
This method authenticates with a Vault token. You must generate a Vault token and store it in a file. Secret Agent reads the token from the file for every fetch request, so if you update the token in the file, Secret Agent uses the new token for the next request. The file must have permissions that restrict read access to the Secret Agent process.
Sample configuration file:
service: tcp: endpoint: 0.0.0.0:3005
secret-manager: vault: endpoint: http://127.0.0.1:8200 token-file: /path/to/token/file namespace: asd # (optional) Vault Enterprise namespace convert-to-base64: false resources: TestingSecret: mount: mysecrets secret: TestingSecret version: 0 # 0 means latest version
log: level: infoTo configure Secret Agent with the token auth method:
- Enable KV (V2) Secrets Engine in Vault with mount (path)
mysecrets. - Create a secret under the
mysecretsmount. In this example, the secret is namedTestingSecret. - Add one or more key-value pairs to
TestingSecret. - Generate a Vault token and store it in a file. In this example, the file is
/path/to/token/file. - Install Secret Agent on the machine.
- Configure Secret Agent to fetch secrets from Vault.
- Start Secret Agent.
Username and password auth method
To authenticate with Vault using a username and password, create a user in Vault and store the password in a file. Secret Agent reads the password from the file and uses it to authenticate. Specify the username in the Secret Agent configuration file.
When Secret Agent authenticates with this method, it creates a Vault token to fetch secrets. If the token is renewable, Secret Agent automatically renews it before it expires. If the token is not renewable, Secret Agent creates a new token when the existing one expires, using the same username and password.
Sample configuration file:
service: tcp: endpoint: 0.0.0.0:3005
secret-manager: vault: endpoint: http://127.0.0.1:8200 username: testuser password-file: /path/to/password/file namespace: asd # (optional) Vault Enterprise namespace convert-to-base64: false resources: TestingSecret: mount: mysecrets secret: TestingSecret version: 0 # 0 means latest version
log: level: infoTo configure Secret Agent with the username and password auth method:
- Enable KV (V2) Secrets Engine in Vault with mount (path)
mysecrets. - Create a secret under the
mysecretsmount. In this example, the secret is namedTestingSecret. - Add one or more key-value pairs to
TestingSecret. - Create a username and password in Vault. In this example, the username is
testuserand the password is stored in/path/to/password/file. - Verify that
testuserhas policies attached that allow readingTestingSecret. - Install Secret Agent on the machine.
- Configure Secret Agent to fetch secrets from Vault.
- Start Secret Agent.
Sample Vault policy to read secrets under the mysecrets mount:
path "mysecrets/*" { capabilities = ["read", "list"]}TLS certificates auth method
With this method, no tokens or passwords are stored on the machine. The TLS certificates auth method authenticates using SSL/TLS client certificates that are either signed by a CA or self-signed. The Vault server determines whether a matching certificate exists to authenticate Secret Agent. On success, the auth method returns a token. Token renewal works the same way as the username and password auth method.
Sample configuration file:
service: tcp: endpoint: 0.0.0.0:3005
secret-manager: vault: endpoint: https://127.0.0.1:8200 tls-auth-mount: authcerts client-cert-file: /path/to/client/cert/file client-key-file: /path/to/client/key/file ca-file: /path/to/ca/file namespace: asd # (optional) Vault Enterprise namespace convert-to-base64: false resources: TestingSecret: mount: mysecrets secret: TestingSecret version: 0 # 0 means latest version
log: level: infoTo configure Secret Agent with the TLS certificates auth method:
- Create a TLS auth method in Vault. In this example, the mount (path) is
authcerts. - Enable KV (V2) Secrets Engine in Vault with mount (path)
mysecrets. - Create a secret under the
mysecretsmount. In this example, the secret is namedTestingSecret. - Add one or more key-value pairs to
TestingSecret. - Verify that the TLS auth method has policies attached that allow reading
TestingSecret. - Install Secret Agent on the machine.
- Configure Secret Agent to fetch secrets from Vault.
- Start Secret Agent.
AppRole authentication
With this method, Secret Agent authenticates to HashiCorp Vault using a role ID and a secret ID. This feature is available in Secret Agent 1.4.0 and later.
Security requirements
Store the secret ID in a file on the host. Restrict read access to this file to the Secret Agent process.
Token lifecycle
At startup, Secret Agent validates that secret-id-file is readable.
On the first secret request, Secret Agent reads the secret ID from the file and logs in to Vault.
- If the returned token is renewable, Secret Agent automatically renews it before it expires.
- If the token is not renewable, Secret Agent re-authenticates using the same
secret-id-filebefore the token expires.
The AppRole auth mount defaults to approle. If your Vault deployment uses a
different mount path, set approle-mount in the Secret Agent configuration
file.
Sample configuration file:
service: tcp: endpoint: 0.0.0.0:3005
secret-manager: vault: endpoint: https://127.0.0.1:8200 ca-file: /path/to/ca/file role-id: c49b442f-bf4b-0c82-a776-42699f521ccf secret-id-file: /path/to/secret-id/file approle-mount: approle # optional; default is approle namespace: asd # (optional) Vault Enterprise namespace convert-to-base64: false resources: TestingSecret: mount: mysecrets secret: TestingSecret version: 0 # 0 means latest version
log: level: infoTo configure Secret Agent with the AppRole auth method:
- Enable the AppRole auth method in Vault and create a role with policies that allow reading your KV secrets.
- Obtain the role ID and generate a secret ID for that role.
- Store the secret ID in a file readable by Secret Agent. In this example, the file is
/path/to/secret-id/file. - Enable KV (V2) Secrets Engine in Vault with mount (path)
mysecrets. - Create a secret under the
mysecretsmount. In this example, the secret is namedTestingSecret. - Add one or more key-value pairs to
TestingSecret. - Install Secret Agent on the machine.
- Configure Secret Agent with
role-idandsecret-id-file. - Start Secret Agent.
Configuration parameters
| Parameter | Description | Notes |
|---|---|---|
endpoint | Vault server endpoint | Required. Can be http or https. |
ca-file/ca-path | File or path to the CA certificate | Required if the Vault server uses https. |
namespace | Namespace for authentication | Required when using Vault Enterprise or HashiCorp Cloud Platform (HCP) Vault. |
token-file | Path to the file containing the Vault token | Required when using the token auth method. |
username | Username for authentication | Required when using the username and password method. |
password-file | Path to the file containing the password | Required when using the username and password method. |
tls-auth-mount | Mount point of the TLS certificates auth method | Required when using the TLS certificates method. |
client-cert-file | Path to the client certificate file | Required when using the TLS certificates method. |
client-key-file | Path to the client key file | Required when using the TLS certificates method. |
role-id | Vault AppRole role ID | Required when using the AppRole auth method. |
secret-id-file | Path to the file containing the AppRole secret ID | Required when using the AppRole auth method. |
approle-mount | Mount point of the AppRole auth method | Optional. Default is approle. |
convert-to-base64 | If true, Secret Agent converts secret values to base64-encoded format | |
resources | Map of resource aliases to Vault KV paths | Required. |
resources.<alias>.mount | KV secrets engine mount point | Required for each resource entry. |
resources.<alias>.secret | Secret path under the mount | Required for each resource entry. |
resources.<alias>.version | Secret version; 0 fetches the latest version | Optional. Default 0. |
Proxy
When Secret Agent must reach Vault over a corporate proxy, set HTTP_PROXY or HTTPS_PROXY depending on whether endpoint uses http:// or https://.
You can also set proxy.url under the vault section to override environment variables for Vault traffic only.
Local Vault (http://127.0.0.1:8200) is automatically excluded from the proxy
together with other localhost and metadata hosts.
Proxy TLS options under proxy.tls apply only to TLS to the proxy and are
independent of Vault server TLS (ca-file, client-cert-file, and related
options).
To understand proxy architecture, configure environment variables (including NO_PROXY), set up TLS, and validate your startup configuration, see Configure a proxy.
Example: HTTP proxy with AppRole
secret-manager: vault: endpoint: https://vault.corp.example.com:8200 ca-file: /etc/aerospike-secret-agent/vault-ca.pem role-id: c49b442f-bf4b-0c82-a776-42699f521ccf secret-id-file: /etc/aerospike-secret-agent/secret-id proxy: url: http://proxy.corp.example.com:3128 resources: appConfig: mount: secret secret: my-app/configExample: HTTPS proxy with private CA and mutual TLS (mTLS)
secret-manager: vault: endpoint: https://vault.corp.example.com:8200 ca-file: /etc/aerospike-secret-agent/vault-ca.pem role-id: c49b442f-bf4b-0c82-a776-42699f521ccf secret-id-file: /etc/aerospike-secret-agent/secret-id proxy: url: https://proxy.corp.example.com:3128 tls: ca-file: /etc/aerospike-secret-agent/proxy-ca.crt cert-file: /etc/aerospike-secret-agent/proxy-client.crt key-file: /etc/aerospike-secret-agent/proxy-client.key tls-name: proxy.corp.example.com resources: appConfig: mount: secret secret: my-app/config