HashiCorp Vault¶
Virtual DataPort provides support to obtain credentials from HashiCorp Vault using the following authentication methods:
Agent. Connects with the Credentials Vault using a sink file.
App Role. Connects with the Credentials Vault using a role and a secret identifiers.
LDAP. Connects with the Credentials Vault using a LDAP user.
TLS Certificate. Connects with the Credentials Vault using TLS client certificates.
Token. Connects with the Credentials Vault using a token.
User/password. Connects with the Credentials Vault using user and password.
Agent¶
This mode reads credentials for connecting with the Credentials Vault from a sink file.
You have to provide the following data:
URL: URL of the HashiCorp Vault. E.g. “https://hashicorp-host:8200”.
Namespace: namespace used in HashiCorp to get the credentials. E.g. “namespace1”
Certificate of Certification Authority (CA) (optional): file that contains an X509 certificate used for validating the response from HashiCorp Vault.
Sink file (optional): file where the HashiCorp Agent generates the credentials.
Proxy: settings for when connecting to HashiCorp through a proxy.
Click Ok for applying changes.
Notes about Sink File
Virtual DataPort supports reading wrapped and unwrapped tokens from Sink file.
If no Sink file is specified, Virtual DataPort will not use authenticated requests against the Credentials Vault. This requires that the HashiCorp agent URL is used at URL field and the agent is configured enabling Auto-Auth Token.
Note
Note that no credentials are required with this authentication method.
App Role¶
This mode requires a role and a secret identifiers for connecting with the Credentials Vault.
You have to provide the following data:
URL: URL of the HashiCorp Vault. E.g. “https://hashicorp-host:8200”.
Namespace: namespace used in HashiCorp to get the credentials.
Authentication path: this field allows define a custom authentication path if this is used in HashiCorp. This is only needed if the default authentication path is not used as explained here.
Certificate of Certification Authority (CA): this is the file that contains the certificate used for validating the response from HashiCorp Vault. It should be a X509 certificate. (optional)
Role Id: this is the role identifier for an existing App Role.
Secret Id: this is the secret identifier attached to an existing App Role.
Proxy: settings for when connecting to HashiCorp through a proxy.
Click Ok for applying changes.
LDAP¶
This mode requires a user and a password from a LDAP user for connecting with the Credentials Vault.
You have to provide the following data:
URL: URL of the HashiCorp Vault. E.g. “https://hashicorp-host:8200”.
Namespace: namespace used in HashiCorp to get the credentials.
Authentication path: this field allows define a custom authentication path if this is used in HashiCorp. This is only needed if default authentication path is not used as explained here.
Certificate of Certification Authority (CA): this is the file that contains the certificate used for validating the response from HashiCorp Vault. It should be a X509 certificate. (optional)
User: this is the user name from a LDAP user.
Password: this is the password from given user name.
Proxy: settings for when connecting to HashiCorp through a proxy.
Note
Note that the LDAP access is done by HashiCorp Vault.
Click Ok for applying changes.
TLS Certificate¶
This mode requires client certificates for connecting with the Credentials Vault. Supported formats are PEM and PFX or PKCS#12.
You have to provide the following data:
URL: URL of the HashiCorp Vault. E.g. “https://hashicorp-host:8200”.
Namespace: namespace used in HashiCorp to get the credentials.
Authentication path: this field allows define a custom authentication path if this is used in HashiCorp. This is only needed if default authentication path is not used as explained here.
Certificate of Certification Authority (CA): this is the file that contains the certificate used for validating the response from HashiCorp Vault. It should be a X509 certificate. (optional)
Certificate name: name of role associated to this certificate. (optional)
Certificate format: certificate format.
PFX or PKCS#12
Client certificate (private key): this is the file that contains the private key used for authenticating with the Credentials Vault.
Password: the password for the file containing the Client certificate.
PEM
Client certificate (private key): this is the file that contains the private key used for authenticating with the Credentials Vault. This file must not have password.
PEM certificate: this is the file that contains the certificate used for authenticating with the Credentials Vault.
Intermediate PEM certificate: this is the file that contains the intermediate certificates used for authenticating with the Credentials Vault. (optional)
Proxy: settings for when connecting to HashiCorp through a proxy.
Click Ok for applying changes.
Token¶
This mode requires a token for connecting with the Credentials Vault. This token can be directly specified or taken from an environment variable.
You have to provide the following data:
URL: URL of the HashiCorp Vault. E.g. “https://hashicorp-host:8200”.
Namespace: namespace used in HashiCorp to get the credentials.
Certificate of Certification Authority (CA): this is the file that contains the certificate used for validating the response from HashiCorp Vault. It should be a X509 certificate. (optional)
Token: this is the token used for accessing to the Credentials Vault.
Token environment variable: this is the environment variable name Virtual DataPort reads for obtaining the token used for authenticating against the Credentials Vault.
Proxy: settings for when connecting to HashiCorp through a proxy.
Click Ok for applying changes.
Notes about the Token
Virtual DataPort supports reading wrapped and unwrapped tokens.
Note
Note that no credentials are required with this authentication method and Token environment variable configuration.
User/Password¶
This mode requires a user and a password for connecting with the Credentials Vault.
You have to provide the following data:
URL: URL of the HashiCorp Vault. E.g. “https://hashicorp-host:8200”.
Namespace: namespace used in HashiCorp to get the credentials.
Authentication path: this field allows define a custom authentication path if this is used in HashiCorp. This is only needed if default authentication path is not used as explained here.
Certificate of Certification Authority (CA): this is the file that contains the certificate used for validating the response from HashiCorp Vault. It should be a X509 certificate. (optional)
User: this is the user name.
Password: this is the password from given user name.
Proxy: settings for when connecting to HashiCorp through a proxy.
Click Ok for applying changes.
Naming Convention for HashiCorp Vault Secrets¶
Secrets
HashiCorp Vault supports creating some types of secrets specifying the field names used for storing the secret information. For this type of secrets, Virtual DataPort expects the following naming conventions:
User names: it is expected at a field named
username.Passwords: it is expected at a field named
password.AWS access keys: it is expected at a field named
access_key.AWS secret keys: it is expected at a field named
secret_key.
For example, a secret with user/password credentials.
{
"username": "my-user",
"password": "my-password"
}
and a secret with AWS credentials.
{
"access_key": "my-access-key",
"secret_key": "my-secret-key"
}
Namespaces
HashiCorp Vault stores secrets on different paths depending on the type of element. Virtual DataPort needs this path for being able to retrieve the secret value.
For example:
A
KVsecret named asacmeuserhas as pathsecret/data/acmeuser.A
Databasesecret named asdbuserhas as pathdatabase/creds/dbuser.
When these secrets are configured on Virtual DataPort, those paths must be supplied.
Finally, secrets located on a HashiCorp Vault namespace must be prefixed with the namespace name.
For example, previous secrets located on namespace myns must be referenced as myns/secret/data/acmeuser and myns/database/creds/dbuser.