Integration with Hashicorp Vault

Object store

Before you start

Goal

• Use credentials from Vault for object store authentication.

Prerequisites

• Complete the initial install.
• Complete the Vault configuration.

To configure Hub to use authentication credentials fetched from Vault, it is necessary to set the object_store.vaultSecret to the path of the secret from which the credentials should be fetched. It is expected that the secret has values called access_key_id, secret_access_key and session_token.

Note that only the static KV secrets engine is supported for S3 authentication.

It may be necessary to set the value of the object_store.vaultSecretExpiry parameter to limit how long the credentials fetched from Vault are to be considered valid. If the credentials necessary to connect to object store change, ensure that both the old credentials and the new credentials are valid for period of time to enable Hub to connect with the old object store credentials until it considers that they have expired and re-fetches the credentials from Vault. The default value of the object_store.vaultSecretExpiry configuration property is one hour, meaning that if the authentication credentials are changed it is necessary to ensure that the old credentials and the new credentials are both valid for one hour to ensure that Hub can continue to make connections during this period.

Verification

Verify object store

• run the hubctl verify objectstore command.

Before continuing, it is necessary to verify that the connection information for the object store is correct. This can be done using the hubctl command, as follows:

hubctl verify objectstore