This tutorial describes how you can connect One Identity Safeguard for Privileged Sessions (SPS) and your Hashicorp Vault with a Credential Store Plugin.
SPS can interact with Hashicorp Vault and can automatically retrieve the password or SSH key of the target host to form a comprehensive Privileged Access Management solution to protect critical assets and meet compliance requirements.
To successfully connect SPS with Hashicorp Vault, you need the following components:
-
A valid, working Hashicorp Vault server or cluster of servers with the following configuration:
- In case of explicit authentication:
A proxy user must be created on the Hashicorp Vault that has access to the secrets holding passwords and keys. The plugin will be using this "proxy user" to access Hashicorp Vault.
- In case of gateway-based authentication:
SPS reuses the username/password from the gateway authentication to authenticate on the Hashicorp Vault. This requires password-based gateway authentication on SPS and that the same user is available on the Hashicorp Vault with the same password, and has access to the secrets holding passwords and keys. The best way is to use an LDAP/AD-based authentication backend.
-
A SPS appliance (virtual or physical), at least version 6.2.0.
-
A Credential Store plugin for Hashicorp Vault.
SPS uses plugins to interact with third-party credential stores and password vaults. One Identity provides the sample Hashicorp Vault plugin free of charge, and provides help to customize it for your environment.
How SPS and Hashicorp Vault work together
Authentication:
The plugin can use either explicit or gateway-based credentials.
- In case of explicit authentication:
A proxy user must be created on the Hashicorp Vault that has access to the secrets holding passwords and keys. The plugin will be using this "proxy user" to access Hashicorp Vault.
- In case of gateway-based authentication:
SPS reuses the username/password from the gateway authentication to authenticate on the Hashicorp Vault. This requires password-based gateway authentication on SPS and that the same user is available on the Hashicorp Vault with the same password, and has access to the secrets holding passwords and keys. The best way is to use an LDAP/AD-based authentication backend.
Secret lookup:
Interactive scenario: If the secrets in Hashicorp are stored in an unstructured way, SPS will have to retrieve the path to the secret from the end-user.
Alternatively, you can pass the vault path to the plugin by including vp= in the username. For example: vp=secret/linux/webserver/root@gu=exampleusername@root
The proxy will tokenize the above username by the @ delimiter, and parse out the following information:
Automatic scenario: If the secrets are organized around server user names in Hashicorp Vault, then the path to the secret is generated from configuration and the server user name.
Hashicorp Vault scenarios
The following scenarios are the most common methods to use SPS and Hashicorp Vault together.