DRP's Integration with HashiCorp Vault

DRP integrates with HashiCorp's Vault to offer a diversified secret management solution. With the Vault plugin, users have the option to retrieve secrets from Vault, expanding the range of DRP's robust and secure secret management capabilities.

Plugin Configuration

Configure the Vault plugin with the following:

• vault/token: Your token to connect to Vault.
• vault/address: The Vault's server address.

Optionally, set a cache timeout to store secrets from Vault temporarily in memory, reducing excessive requests to the Vault server. This duration is in seconds, defaulting to 300 seconds.

• vault/cache-timeout: Duration (in seconds) to cache secrets in-memory.

Operational Configuration

In addition to the plugin configuration, define a lookupUri for the secret's location:

• decrypt/lookup-uri:
  • Denotes the secret's storage location.
  • Format: <plugin-name>://<key-to-lookup>?path=<path-to-secret>
  • Example: vault://foo?path=location_of_foo
  • For KV Version 1: Use the complete path, e.g., for kv/my-secret, the path is kv/my-secret.
  • For KV Version 2: Exclude /secret. For a secret at /secret/foo/creds, use /foo/creds.

Note

The path-to-secret format varies based on the Vault KV secrets engine version.

Usage

After completing both configurations, use the plugin:

# Set a machine's IPMI password to a Vault secret:
drpcli machines set Name:foo param ipmi/password to '{ "LookupUri": "vault://key?path=path&format=json" }'

# Retrieve the machine's IPMI password:
drpcli machines get Name:foo param ipmi/password --decrypt