The Secrets Broker Vault is fully compatible with the Hashicorp vault CLI and can be further configured and accessed using this CLI. By default, the embedded vault has been configured with the K/V secrets engine and a policy which allows the Secrets Broker service to push account credentials into a OneIdentity secrets store. For additional information about how to install and use the Hashicorp vault CLI, see Vault Commands (CLI).
Connecting to the embedded vault
-
Set the following environment variable:
VAULT_ADDR=https://<SecretsBroker Address>
-
Only one of the following variables can be selected:
-
If selected, the following variable can be set to specify the SSL certificate using the method outlined in Vault Commands (CLI):
VAULT_CACERT=<PEM encoded certificate file>
-
If selected, the following variable can be set to specify the SSL certificate using the method outlined in Vault Commands (CLI):
VAULT_CAPATH=<Directory containing PEM encoded certificates>
-
If selected, the following variable will bypass SSL certificate validation entirely:
VAULT_SKIP_VERIFY=true
-
-
Log in to the embedded Secrets Broker Vault. For more information, see Login.
-
The CLI will prompt for the root token. To connect to the embedded vault using the Hashicorp vault CLI, the root token needs to be fetched from SPP. This token was stored in SPP during the deployment of the Secrets Broker Vault Add-on. For more information, see Getting the vault root token from the connected One Identity Safeguard for Privileged Passwords appliance.