If the data in Hashicorp is stored in an unstructured way, SPS will have to retrieve the path to the secret from the end-user. This is done in the following way:
-
Configure an Authentication and Authorization (AA) plugin (for example, Okta). For details on configuring the plugin, see the respective plugin documentation.
-
Make sure to configure the question_1 parameter in that AA plugin the following way:
[question_1]
prompt=Enter the path to the secret that you want to retrieve from Hashicorp.
key=vp
disable_echo=no
You can change the prompt message in the prompt parameter, but make sure that you enter vp as the value of key.
-
As a result, the Hashicorp Vault plugin can now retrieve the compound path (described in secrets_path) from the previously configured AA plugin. Therefore, in the Interactive scenario, you do not have to configure the secrets_path parameter.
-
Configure the key_field and the password_field options of the Hashicorp Vault plugin. The plugin will retrieve the password or the key from these fields of the compound path that the user provides.
-
Configure the default_type option of the Hashicorp Vault plugin to set which type of credential the plugin should retrieve by default.
-
Note that when users enter the path to the secret, they can customize the path the following way to override the configuration of the plugin:
-
If the default_type is set, but the user wants to authenticate with another credential type (password instead of key, or key instead of password), the user can specify the credential type to use in the prompt.
For password authentication, use the password:// or p:// prefix, for example:
password://my/secrets
For public key authentication, use the key:// or k:// prefix, for example:
password://my/secrets
-
By default, the plugin retrieves the password or the key from the field set in the password_field or the key_field options. To retrieve the secret from a different field, append the name of the new field to the compound path after a hashtag (#) character, for example:
my/secrets#mysecretfield
-
The previous methods can be combined. The following example overrides both the credential type and the field name.
key://my/secrets#mysecretfield
-
If the path to the endpoint contains a literal slash (/) or hashmark (#) character, double this character. For example, if the path is secrets/my#endpoint, use secrets/my##endpoint to escape the special character.
In Hashicorp Vault, there is an endpoint under which the user names and passwords are stored as secrets. For example, secrets/users. The server username is then appended by the plugin to the path on-the-fly. This compound path points to an object that has the password or key as one of its fields.
For this scenario, you must configure the following parameters in the [engine-kv-v1] section:
SPS Hashicorp Vault plugin parameter reference
This section describes the available options of the SPS Hashicorp Vault plugin.
The plugin uses an ini-style configuration file with sections and name=value pairs. This format consists of sections, led by a [section] header and followed by name=value entries. Note that the leading whitespace is removed from values. The values can contain format strings, which refer to other values in the same section. For example, the following section would resolve the %(dir)s value to the value of the dir entry (/var in this case).
[section name]
dirname=%(dir)s/mydirectory
dir=/var
All reference expansions are done on demand. Lines beginning with # or ; are ignored and may be used to provide comments.
You can edit the configuration file from the SPS web interface. The following code snippet is a sample configuration file.
[hashicorp]
address=<address>
port=8200
authentication_method=<authentication_method>
use_credential=explicit
username=<username>
password=<password>
[engine-kv-v1]
secrets_path=<path>
key_field=key
password_field=password
delimiter=
[tls]
ca_cert = $[<trusted-ca-list-name>]
[credential_store]
name=<name-of-credential-store-policy-that-hosts-sensitive-data>
[logging]
log_level=info
[https_proxy]
server=<proxy-server-name-or-ip>
port=3128
This section contains the options related to your Hashicorp Vault account.
[hashicorp]
address=<address>
port=8200
authentication_method=<authentication_method>
use_credential=gateway
username=<username>
password=<password>
address
| Type: |
string |
| Required: |
no |
| Default: |
N/A |
Description: The address or hostname of the Hashicorp Vault. Separate more than one addresses with a comma (,).
port
| Type: |
integer |
| Required: |
no |
| Default: |
8200 |
Description: The port number of the Hashicorp Vault.
authentication_method
| Type: |
string |
| Required: |
no |
| Default: |
N/A |
Description: The authentication method to use to connect to the Hashicorp Vault. The value can be one of the following: ldap or userpass.
use_credential
| Type: |
string |
| Required: |
no |
| Default: |
gateway |
Description: The credential type to use. The value can be one of the following: explicit or gateway.
If you use the explicit credential type, you must also configure the username and password parameters.
username
| Type: |
string |
| Required: |
If you have configured the use_credential parameter as explicit |
| Default: |
N/A |
Description: The username used to authenticate to the Hashicorp Vault.
password
| Type: |
string |
| Required: |
If you have configured the use_credential parameter as explicit |
| Default: |
N/A |
Description: The password used to authenticate to the Hashicorp Vault.
|
|
Caution:
This parameter contains sensitive data. Make sure to store this data in your local Credential Store. Type the $ value for this parameter in production.
For details, see Store sensitive plugin data securely.
Only enter a value different than $ for this parameter in the configuration for testing purposes in a secure, non-production environment. |
