Integration with Hashicorp Vault

S3 object store

Before you start

Goal

• Use credentials from Vault for S3 authentication.

Prerequisites

• Complete the initial install.
• Complete the Vault configuration.

To configure Hub to use authentication credentials fetched from Vault, it is necessary to set the s3.vaultSecret to the path of the secret from which the credentials should be fetched. It is expected that the secret has values called access_key_id, secret_access_key and session_token.

Note that only the static KV secrets engine is supported for S3 authentication.

It may be necessary to set the value of the s3.vaultSecretExpiry parameter to limit how long the credentials fetched from Vault are to be considered valid. If the credentials necessary to connect to S3 change, ensure that both the old credentials and the new credentials are valid for period of time to enable Hub to connect with the old S3 credentials until it considers that they have expired and re-fetches the credentials from Vault. The default value of the s3.vaultSecretExpiry configuration property is one hour, meaning that if the authentication credentials are changed it is necessary to ensure that the old credentials and the new credentials are both valid for one hour to ensure that Hub can continue to make connections during this period.

Verification

Verify S3

• run the hubctl verify s3 command.

Before continuing, it is necessary to verify that the connection information for the S3 is correct. This can be done using the hubctl command, as follows:

hubctl verify s3