22.49. vault - Vault

The following documentation is for Vault (vault) content package at version v4.9.4.

The vault plugin allows you to get secrets from Vault. This is an alternate to the local secrets storage that comes with the server.

22.49.1. Plugin Configuration

The following is needed to set up this Vault plugin

  • vault/token - A token used to connect to Vault

  • vault/address - The address where Vault is running

In addition to this you can also configure a local cache timeout. We store the secrets from vault temporarily in memory. This will keep the vault server from getting overloaded with too many requests. This value is provided in seconds and by default we set it to 300 seconds

  • vault/cache-timeout - An optional value for how long secrets are cached in-memory

22.49.2. Operational Configuration

In addition to the plugin configuration above, you will also need a lookupUri that denotes where the secret is stored.
  • decrypt/lookup-uri - A URI that represents the location of the secret. This is made up of three parts:
    • <plugin-name>://<key-to-lookup>?path=<path-to-secret>

    • vault://foo?path=location_of_foo

    NOTE: The path-to-secret changes based on the Vault KV secrets engine version. * For version 1 it needs to be the complete path. So it your secret is stored at kv/my-secret then your path

    will be kv/my-secret.

    • For Version 2 it should be the path _without_ the /secret so if your secret is located at /secret/foo/creds then the path has to be /foo/creds

22.49.3. Usage

Once the plugin configuration and operational configuration are complete, you can use the plugin as follows

# set a machine ipmi password to a vault secret

  drpcli machines set Name:foo param ipmi/password to '{ "LookupUri": "vault://key?path=path&format=json" }'

# get machine ipmi password

  drpcli machines get Name:foo param ipmi/password --decrypt

22.49.4. Object Specific Documentation params

The content package provides the following params. vault/address

The address (full URL) to where your vault server is running. vault/cache-timeout

An optional parameter that determines for how long secrets are cached locally. This is mainly set up so we don’t overwhelm the vault server being used. The value needs to be entered in seconds. By default it is set to 300 vault/kv-version

The version of Vault KV secrets engine while running in versioned mode. If none is provided it will default to v2 vault/token

An authentication token used to connect to vault