Using an external vault for secrets

Owned by Ashhad Alam
Last updated: Jul 21, 2023
5 min read

The activities that you create and use in Adeptia Connect may contain sensitive information like User Id and Passwords. You may want to store these sensitive information as secrets to an external Vault for added security. Adeptia Connect enables you to fetch secrets from HashiCorp Vault and use them at runtime for the activities listed in the table below.

Activity type

Activity name

Supported fields

Activity type

Activity name

Supported fields

Account

Azure Service Bus

  • Client Secret

Database Info

  • User

  • Password

JMS Provider

  • Username

  • Password

OAuth Profile

  • Client Secret (For Authorisation Code, Cilent Credential, and Resource Owner Credentials OAuth Grant Types)

  • User Name and Password (For Resource Owner Credentials OAuth Grant Type)

The supported OAuth Version to use HashiCorp Vault is 2.0.

Azure Blob

  • Shared Key

  • Shared Access Signatures

Source

FTP

  • User ID

  • Password

JMS

  • UserName

  • Password

Event

FTP

  • User ID

  • Password

JMS

  • UserName

  • Password

Target

FTP

  • User ID

  • Password

JMS

  • UserName

  • Password

Adeptia Connect supports role-based Kubernetes authentication wherein Kubernetes service account credentials are used for authenticating to the Hashicorp Vault. Once the application is able to authenticate to the Vault, it is ready to fetch secrets from the Vault.

To enable you to use the secrets stored in a Vault for an activity, you need to do the followings in the same order:

Prerequisites

Before you start using this feature, ensure that you have set the HashiCorp Vault related parameters in the global values.yaml file. The following table contains the list of parameters and their description.

Parameter

Description

Parameter

Description

configManagement:

 

CONFIG_MANAGEMENT_ENABLED:

Variable to enable or disable the Config Management feature. The possible values are true and false.

  • true – enables the Config Management feature

  • false – disables the Config Management feature

PROFILE:

The Profile in Hashicorp Vault that you want to use for fetching the secrets.
A Profile in Vault is used for grouping the secrets based on the type of environment, for example Dev, QA, or Prod.
This ensures that the secrets associated with the specified Profile, and thus with the specific environment, are fetched.

CONFIG_MANAGEMENT_SEGREGATION_CRITERIA:

The variable to define the basis for the segregation of your secrets.

The value for this variable is either project (in case of project based segregation) or it can be left blank.

backend:

 

hashicorp:

HASHICORP_VAULT_ENABLED:

Set this variable to true to fetch the secrets from HashiCorp Vault.

HASHICORP_VAULT_KV_VERSION:

The variable to define the version of the kv secret engine. The possible values are v1 and v2.

HASHICORP_VAULT_SECRET_PATH_PATTERN:

Pattern of the path for the secrets stored in the Vault.

The default value for this variable is:

$PROJECT_VAULT_MAPPING$/$PROFILE$/$PROJECT_NAME$

Where,

  • $PROJECT_VAULT_MAPPING$ must be included in the pattern if you have used project mapping.

  • $PROFILE$ must be included in the pattern if you have used profiles in Vault for grouping the secrets based on the type of environment.

  • $PROJECT_NAME$ must be included in the pattern if you have Adeptia Connect project name.

Important

The sequence of $PROJECT_VAULT_MAPPING$, $PROFILE$, and $PROJECT_NAME$ components must be based on the folder structure that you have in the Vault.

HASHICORP_VAULT_URL:

Access URL (endpoint) of the HashiCorp Vault.

HASHICORP_VAULT_SECRET_BASE_PATH:

Enter the complete path to the base folder that contains secrets.

Important

If you are using kv secret engine version v2, add the keyword 'data' after root secret folder. For example, if the secrets are stored at path: secret/AC_001/adeptia, enter secret/data/AC_001/adeptia as the value for this variable. In case of using v1, provide secret/AC_001/adeptia as the value for this variable.

HASHICORP_VAULT_AUTHENTICATION:

Enter the type of authentication to be used by AC application to authenticate to the Vault.

The possible values are KUBERNETES and TOKEN.

HASHICORP_VAULT_TOKEN:

Enter the Vault token.

HASHICORP_VAULT_KUBERNETES_ROLE:

Enter the name of the role associated with the Kubernetes authentication method you have defined in the Vault.

HASHICORP_VAULT_KUBERNETES_SERVICE

_ACC_TOKEN_PATH:

Enter the path where the Service Account token is stored within the pod.

The default value for this variable is /var/run/secrets/kubernetes.io/serviceaccount/token.

HASHICORP_VAULT_KUBERNETES_PATH:

Enter the name of Kubernetes authentication method defined in the Vault.

 

Creating project mapping

Project mapping is required if the HashiCorp Vault projects' folders do not have the same name as that of the associated projects that you have in Adeptia Connect.

To map one or more projects to a folder in HashiCorp Vault, follow the steps given below:

  1. Click Account > My Company.

  2. Select Project-Vault Mappings.

  3. In the Project field, select the projects that you want to map.

  4. In the Vault Folder field, enter the name of the folder in HashiCorp Vault that contains the secrets for the project(s) you have selected in the Project field.

  5. Click Save.
    This creates a project mapping. You can click Add More to create another mapping.

Using variables to fetch secrets

A secret, for example, username and its corresponding value, is maintained as a key-value pair in HashiCorp Vault. In order to fetch a secret from HashiCorp Vault, you need to enter a variable in the field for which you want to fetch the secret. The variable you enter must be in the following format:

 ${Vault:<Key>}
Where, <Key> is the key defined in Hashicorp Vault for the field for which you want to fetch the secret. 

When you use this variable with an appropriate key, the application fetches the value corresponding to that key.

For example, if you want to use HashiCorp Vault to fetch the value for the User Id field in an FTP source activity, you first need to have a key having a value defined for the User Id field in HashiCorp Vault. You can use that key in the variable and enter it in the field. Considering User.Id as the key defined in the Vault for User Id field, the variable to be entered in the field should look like the one given below:

${Vault:User.Id}