Skip to content

Vault

DRP's Integration with HashiCorp Vault

Digital Rebar Provision (DRP) integrates with HashiCorp Vault to extend its secret management capabilities. This integration enables users to securely retrieve secrets from Vault, enhancing DRP's native secret management options.

Plugin Configuration

These steps are necessary to use the Vault plugin. Configure the Vault plugin with the following parameters:

  • vault/address: The address of the Vault server. Ensure it follows the format http(s)://< vault-server-address>:.
  • vault/token: The authentication token used to connect to Vault. Learn more about Vault authentication tokens.
  • vault/kv-version: The version of Vault KV secrets engine while running in versioned mode. If none is provided it will default to v2.

Optionally, you can configure a cache timeout, which allows DRP to temporarily store secrets in memory. This minimizes the number of requests made to the Vault server and improves performance. The duration is specified in seconds, with a default of 300 seconds.

  • vault/cache-timeout: The duration (in seconds) to cache secrets in memory.

Operational Configuration

Beyond configuring the plugin, you need to set up a lookupUri to specify the location of the secret in Vault:

  • decrypt/lookup-uri:
    • Specifies where the secret is stored
      • Format: <plugin-name>://<key-to-lookup>?path=<path-to-secret>
      • In this case, we are using the vault plugin. Let's assume we have a secret at path hello with key foo 
        $ vault kv get secret/hello
  == Secret Path ==
  secret/data/hello

  ======= Metadata =======
  Key                Value
  ---                -----
  created_time       *****
  custom_metadata    *****
  deletion_time      *****
  destroyed          false
  version            4

  === Data ===
  Key    Value
  ---    -----
  foo    bar
      • Example URI will be: vault://foo?path=hello

The URI can also have parameter expansions.

Path Formatting Based on Vault KV Secrets Engine Version

  • For KV Version 1:

    • Use the full path, e.g., for kv/my-secret, the path is kv/my-secret.
      • Details about KV version 1: https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1

  • For KV Version 2:

    • Exclude /secret from the path. For a secret stored at /secret/foo/creds, the path should be /foo/creds.
      • Details about KV version 2: https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2

Unsure which version your Vault secrets engine is using? Run vault secrets list -detailed to find out. Look for the Options column. - If it shows version: "2", it's KV version 2. - If the Options column is empty or does not mention a version, it's likely KV version 1.

Here is an example output Path Plugin Accessor Options Description ---- ------ -------- ------- ----------- secret/ kv kv_abcde map[version:2] key/value secret storage

Usage

Assuming that a secret named foo exists at the hello path in Vault. Check Vault Docs. Also assuming that a machine named vault-test exists in DRP

Set the secret: 

drpcli machines set Name:vault-test param ipmi/password to '{ "LookupUri": "vault://foo?path=hello" }'
Retrieve the secret: 
drpcli machines get Name:vault-test param ipmi/password --decode