Integrating with HashiCorp Vault

Owned by Ashhad Alam
Last updated: Apr 25, 2023
3 min read

To use HashiCorp Vault for fetching the credentials associated with an activity at runtime, you need to set the HashiCorp Vault related parameters in the global values.yaml file before you deploy the application.

The following table contains the list of parameters and their description.

Parameter

Description

Parameter

Description

configManagement:

 

CONFIG_MANAGEMENT_ENABLED:

Variable to enable or disable the Config Management feature. The possible values are true and false.

  • true – enables the Config Management feature

  • false – disables the Config Management feature

PROFILE:

The Profile in Hashicorp Vault that you want to use for fetching the secrets.
A Profile in Vault is used for grouping the secrets based on the type of environment, for example Dev, QA, or Prod.
This ensures that the secrets associated with the specified Profile, and thus with the specific environment, are fetched.

CONFIG_MANAGEMENT_SEGREGATION_CRITERIA:

The variable to define the basis for the segregation of your secrets.

The value for this variable is either project (in case of project based segregation) or it can be left blank.

backend:

 

hashicorp:

HASHICORP_VAULT_ENABLED:

Set this variable to true to fetch the secrets from HashiCorp Vault.

HASHICORP_VAULT_KV_VERSION:

The variable to define the version of the kv secret engine. The possible values are v1 and v2.

HASHICORP_VAULT_SECRET_PATH_PATTERN:

Pattern of the path for the secrets stored in the Vault.

The default value for this variable is:

$PROJECT_VAULT_MAPPING$/$PROFILE$/$PROJECT_NAME$

Where,

  • $PROJECT_VAULT_MAPPING$ must be included in the pattern if you have used project mapping.

  • $PROFILE$ must be included in the pattern if you have used profiles in Vault for grouping the secrets based on the type of environment.

  • $PROJECT_NAME$ must be included in the pattern if you have used project folders in the Vault.

Important

The sequence of $PROJECT_VAULT_MAPPING$, $PROFILE$, and $PROJECT_NAME$ components must be based on the folder structure that you have in the Vault.

HASHICORP_VAULT_URL:

Access URL (endpoint) of the HashiCorp Vault.

HASHICORP_VAULT_SECRET_BASE_PATH:

Enter the complete path to the base folder that contains secrets.

Important

If you are using kv secret engine version v2, add the keyword 'data' after root secret folder. For example, if the secrets are stored at path: secret/AC_001/adeptia, enter secret/data/AC_001/adeptia as the value for this variable. In case of using v1, provide secret/AC_001/adeptia as the value for this variable.

HASHICORP_VAULT_AUTHENTICATION:

Enter the type of authentication to be used by AC application to authenticate to the Vault.

The possible values are KUBERNETES and TOKEN.

HASHICORP_VAULT_TOKEN:

Enter the Vault token.

This is applicable only when you use token-based authentication to authenticate to the Vault.

HASHICORP_VAULT_KUBERNETES_ROLE:

Enter the name of the role associated with the Kubernetes authentication method you have defined in the Vault.

HASHICORP_VAULT_KUBERNETES_SERVICE

_ACC_TOKEN_PATH:

Enter the path where the Service Account token is stored within the pod.

The default value for this variable is /var/run/secrets/kubernetes.io/serviceaccount/token.

HASHICORP_VAULT_KUBERNETES_PATH:

Enter the name of Kubernetes authentication method defined in the Vault.

Related topics