This section contains the options related to your Hashicorp Vault account.
[engine-kv-v1]
secrets_path=<path>
key_field=key
password_field=password
default_type=
secrets_path
| Type: |
string |
| Required: |
only in Automatic scenario |
| Default: |
N/A |
Description: The path of the endpoint under which the user names and passwords are stored as secrets. For example, secrets/users. The server username is then appended to the path on-the-fly. This compound path points to an object that has the password or key as one of its fields. You can specify the name of the field that stores the password and the key in the password_field and key_field options.
The user can override this field when using the Interactive scenario, see Interactive scenario.
If the path to the endpoint contains a literal slash (/) or hashmark (#) character, double this character. For example, if the path is secrets/my#endpoint, use secrets/my##endpoint to escape the special character.
key_field
| Type: |
string |
| Required: |
no |
| Default: |
key |
Description: The value field to retrieve the SSH private key secret from.
The user can override this field when using the Interactive scenario, see Interactive scenario.
password_field
| Type: |
string |
| Required: |
no |
| Default: |
password |
Description: The value field to retrieve the password secret from. This parameter is not related to the password parameter.
The user can override this field when using the Interactive scenario, see Interactive scenario.
default_type
| Type: |
key | password | empty string |
| Required: |
no |
| Default: |
empty string |
Description: Determines the type of credential (key or password) that the plugin retrieves from the Hashicorp Vault. If not specified, the plugin attempts to retrieve both a key and a password.
If the default_type is set, but the user wants to authenticate with another credential type (password instead of key, or key instead of password), the user can specify the credential type in the prompt when using the Interactive scenario by beginning the secret path with password:// or key:// (you can use the p:// or k:// abbreviations as well).
This section contains the options related to TLS settings.
Declaration
[tls]
enabled = yes
ca_cert = $[<trusted-ca-list-name>]
client_cert = <client-certificate-and-key>
enabled
| Type: |
boolean (yes|no) |
| Required: |
no |
| Default: |
yes |
Description: To disable TLS completely, enter no as the value of this parameter.
ca_cert
| Type: |
string |
| Required: |
no |
| Default: |
N/A |
Description: Configure this parameter to enable client-side verification. The certificate shown by the server will be checked with this CA.
If the value of this parameter is $[<trusted-ca-list-name>], the certificates are retrieved from the trusted CA list configured on SPS, identified by the name.
When the certificate is inserted into the configuration file (<ca-certificate-chain>, it must be in PEM format and all the new lines must be indented with one whitespace. If it is a chain, insert the certificates right after each other.
client_cert
| Type: |
string |
| Required: |
no |
| Default: |
N/A |
Description: Configure this parameter to enable server-side verification.
If the value of this parameter is $, the certificate identified by the section and option pair is retrieved from the configured Credential Store.
When the certificate is inserted into the configuration file, it must be in PEM format and all the new lines must be indented with one whitespace. Note that encrypted keys are not supported.
This section contains settings related to storing sensitive information of the plugin.
Declaration
[credential_store]
name=<name-of-credential-store-policy-that-hosts-sensitive-data>
name
| Type: |
string |
| Required: |
no |
| Default: |
N/A |
Description: The name of a local Credential Store policy configured on SPS. You can use this Credential Store to store sensitive information of the plugin in a secure way (for example, the secrets_path value in the [hashicorp] section).
For details, see Store sensitive plugin data securely.
This section contains logging-related settings.
Declaration
[logging]
log_level=info
log_level
| Type: |
integer or string |
| Required: |
no |
| Default: |
info |
Description: The logging verbosity of the plugin. The plugin sends the generated log messages to the SPS syslog system. You can check the log messages in the Basic settings > Troubleshooting > View log files section of the SPS web interface. To show only the messages generated by the plugins, filter on the plugin: string.
The possible values are:
-
debug
-
info
-
warning
-
error
-
critical
For details, see Python logging API's log levels: Logging Levels.
