Skip to content

Integration with Hashicorp Vault

Before you start

Goal

  • Understand how Hub integrates with vault.
  • Setup the vault connection.

Introduction

Altair SLC Hub provides integration with Hashicorp Vault in two ways:

  • Configuration settings such as database connection passwords.
  • Backing storage for Hub authentication domain credentials.

Vault Connection Configuration

Altair SLC Hub can authenticate to Vault using either AppRole authentication or AWS IAM authentication.

To configure the Vault connection, create a copy of the [etc directory]/config.d/vault.yaml file and save it with a lexicographically greater name such as etc/config.d/vault_custom.yaml. Then edit the configuration file to provide the address of the Vault server, the role name and if necessary the authentication secret. The [etc directory]/config.d/vault.yaml file documents the necessary configuration properties.

If using AppRole authentication, the secret can be provided either directly in the secretID property, or indirectly by placing the secret in a file and setting the secretIDFile property to the location of that file. In the latter case Hub will watch for changes in that file and reload the authentication secret if the contents of the file changes.

Verification

Verify Vault Credentials

  • run the hubctl verify vault

To check the credentials for vault, run the following command:

hubctl verify vault

Configuration Settings

There are a number of places in the Hub configuration where connection credentials are required for external services:

The credentials for these can all be fetched from Vault rather than being set in the normal Hub configuration files.

General notes for using KV secrets engine

If using the Vault command line vault kv command to populate Vault secrets, the form of the secret path supplied in the Hub configuration parameters is slightly different to the path used on the Vault command line kv subcommand.

For example, if the following command is used to populate the vault secret:

   vault kv put secret/hub-creds user=hub passcode=secret
The relevant Hub configuration property needs to be set to the value secret/data/hub-creds. The path required by Hub is the same path that it is necessary to use with the generic Vault read command:
   vault read secret/data/hub-creds
For more information see the Vault documentation

In general, Hub supports both the version 1 and version 2 KV secrets engines.