Vaults
HashiCorp Vault is an identity-based secrets and encryption management system.
Vault provides encryption services that are gated by authentication and authorization methods. Using Vault’s UI, CLI, or HTTP API, access to secrets and other sensitive data can be securely stored and managed, tightly controlled (restricted), and auditable.
Vault Architecture
Vault validates and authorizes clients (users, machines, apps) before providing them access to secrets or stored sensitive data.
Vault Workflow
Vault works primarily with tokens and a token is associated to the client's policy.
Each policy is path-based and policy rules constrains the actions and accessibility to the paths for each client.
With Vault, you can create tokens manually and assign them to your clients, or the clients can log in and obtain a token.
Vault Concepts
Authentication
Authentication in Vault is the process by which a client supplies information that Vault uses to determine if they are who they say they are.
Once the client is authenticated against an auth method, a token is generated and associated to a policy.
Validation
Vault validates the client against third-party trusted sources, such as Github, LDAP, App Role, and more.
Authorization
A client is matched against the Vault security policy.
This policy is a set of rules defining which API endpoints a client has access to with its Vault token.
Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.
Access
Vault grants access to secrets, keys, and encryption capabilities by issuing a token based on policies associated with the client’s identity.
The client can then use their Vault token for future operations.
Vault Intergration
Integration with Terraform Vault
HashiCorp Vault is a widely-used secret management solution that allows you to store, manage, and access secrets securely.
Install and configure Vault : Use official Documentation
Enable the kv secrets engine in Vault : Use this below command
vault secrets enable -path=my-secrets kvWrite secrets to Vault: Store Secrets in Vault
vault kv put my-secrets/aws aws_access_key_id=<your_access_key> aws_secret_access_key=<your_secret_key>Configure the Terraform Vault provider: In your Terraform configuration, set up the Vault provider and authenticate using a token or other supported authentication methods:
provider "vault" {
address = "https://vault.example.com:8200"
token = "<your_vault_token>"
}Access secrets from Vault in Terraform: Use the
vault_generic_secretdata source to read secrets from Vault
data "vault_generic_secret" "aws_credentials" {
path = "my-secrets/aws"
}
provider "aws" {
access_key = data.vault_generic_secret.aws_credentials.data["aws_access_key_id"]
secret_key = data.vault_generic_secret.aws_credentials.data["aws_secret_access_key"]
region = "us-west-2"
}Integrating Terraform with AWS Secrets Manager
AWS Secrets Manager is a managed service that helps you protect access to your applications, services, and IT resources. To integrate Terraform with AWS Secrets Manager, follow these steps:
1. Store secrets in AWS Secrets Manager: Log in to the AWS Management Console, navigate to Secrets Manager, and create a new secret containing your sensitive data (e.g., API keys and database credentials).
2. Configure the Terraform AWS provider: In your Terraform configuration, set up the AWS provider with the appropriate credentials:
provider "aws" {
region = "us-west-2"
}Access secrets from AWS Secrets Manager in Terraform: Use the
aws_secretsmanager_secret_versiondata source to read secrets
data "aws_secretsmanager_secret_version" "example" {
secret_id = "arn:aws:secretsmanager:us-west-2:123456789012:secret:example-123456"
}
locals {
example_secret = jsondecode(data.aws_secretsmanager_secret_version.example.secret_string)
}You can now use the local.example_secret variable to access the stored secret as a JSON object. For example, if your secret contains a database username and password, you can reference them like this:
resource "aws_db_instance" "example" {
# ...
username = local.example_secret["db_username"]
password = local.example_secret["db_password"]
}Last updated