Integration with Hashicorp Vault

Authentication Domain Credentials

Before you start

Goal

• Load authentication domain credentials using the path of a vault secret.

Prerequisites

• Complete the initial install.
• Complete the Vault configuration.

As an alternative to using Altair SLC Hub to associate explicit credentials for an authentication domain with a user or group, it is possible to store the path of a Vault secret. It is expected that the Vault secret will contain username and password properties. When Altair SLC is running a program on behalf of a user, and requires resolution of the credentials for an authentication domain, Hub will fetch the given secret from Vault and return it to Altair SLC.

Security

There is an important security risk to be aware of before using Vault integration for authentication domain credentials. No access control is in place to prevent Altair SLC Hub users from specifying a Vault path for someone else's secret, meaning it would be possible to make use of someone else's credentials. Before enabling this feature, this security warning should be carefully considered.

Enable

This feature is disabled by default. To enable Vault integration for authentication domain credentials, it is necessary to set the authdomain.allowVaultPathCredentials Hub parameter to true. Once that is set, the data-access service must be restarted for the change to take effect - this can be done using the hubctl command, as follows:

hubctl service restart data-access

Verification

Verify Auth Domain

• resolve an authentication domain