HashiCorp: Set up a Vault

Owned by Anand Vedam
Last updated: Jan 11, 2024 by Subhajit Sengupta
2 min read

This page is no longer maintained (Apr 12, 2023). For the most current information, go to https://docs.snaplogic.com/cicd/secrets-mgmt/secrets-mgmt-hashicorp-set-up-vault-using-approle.html .

Overview

As you set up the HashiCorp Vault, collect the following information which are required in the Snaplex node configuration file:

  • Cluster URL

  • RoleID

  • SecretID

  • Vault Namespace

Steps

  1. Create a Vault Cluster. You need one private Cluster per Vault. From this step, you will get the Cluster URL, which must be a private URL that establishes peer communication with your Groundplex nodes.

  2. Enable and configure AppRole authentication. Snaplex nodes use AppRole authentication by default.

    You must create a role for each Vault and then associate the role with one or more policies.

    From this step, you will retrieve the RoleID and generate the SecretID for each role you create.

  3. Create Vault policies. To use an HCP Vault policy for Snaplex access, it must grant the following:

    • Permissions to look up, renew, and revoke the AppRole token.

    • Read access to the Key/Value Secrets Engine.

    Example 1: Snippet of an HCP Vault policy to grant the required permissions to look up, renew, and revoke the AppRole token.

    # Allow tokens to look up their own properties path "auth/token/lookup-self" { capabilities = ["read"] } # Allow tokens to renew themselves path "auth/token/renew-self" { capabilities = ["update"] } # Allow tokens to revoke themselves path "auth/token/revoke-self" { capabilities = ["update"] } # Allow a token to look up its own capabilities on a path path "sys/capabilities-self" { capabilities = ["update"] }

    Example 2: Snippet of an HCP Vault policy to grant read access to the Key/Value Secrets Engine.

    # Allow a token to manage its cubbyhole path "cubbyhole/*" { capabilities = ["create", "read", "update", "delete", "list"] } # Allow a token to manage its secret engine kv path "kv/*" { capabilities = ["read"] }

  4. Create a Key/Value Secrets Engine.

  5. In the new Vault, create the secrets containing your endpoint credentials. The SnapLogic accounts use the path and secret name.

  6. Determine or create the namespaces you need. The Vault namespace depends on the HashiCorp product.

    • In HashiCorp Cloud Platform (HCP),

      • Default: admin

      • The name of the namespace that you created.

    • In HashiCorp Enterprise, the name of the namespace that you created.

    • In HashiCorp Open Source, root

 

Have feedback? Email documentation@snaplogic.com | Ask a question in the SnapLogic Community
© 2017-2024 SnapLogic, Inc.