Vault¶
DRP's Integration with HashiCorp Vault¶
DRP integrates with HashiCorp's Vault to offer a diversified secret management solution. With the Vault plugin, users have the option to retrieve secrets from Vault, expanding the range of DRP's robust and secure secret management capabilities.
Plugin Configuration¶
Configure the Vault plugin with the following:
vault/token
: Your token to connect to Vault.vault/address
: The Vault's server address.
Optionally, set a cache timeout to store secrets from Vault temporarily in memory, reducing excessive requests to the Vault server. This duration is in seconds, defaulting to 300 seconds.
vault/cache-timeout
: Duration (in seconds) to cache secrets in-memory.
Operational Configuration¶
In addition to the plugin configuration, define a lookupUri
for the secret's location:
decrypt/lookup-uri
:- Denotes the secret's storage location.
- Format:
<plugin-name>://<key-to-lookup>?path=<path-to-secret>
- Example:
vault://foo?path=location_of_foo
- For KV Version 1: Use the complete path, e.g., for
kv/my-secret
, the path iskv/my-secret
. - For KV Version 2: Exclude
/secret
. For a secret at/secret/foo/creds
, use/foo/creds
.
Note
The path-to-secret format varies based on the Vault KV secrets engine version.
Usage¶
After completing both configurations, use the plugin: