Versions Compared

Old Version 4

changes.mady.by.user Chandresh Patel

Saved on

compared with

New Version Current

changes.mady.by.user Chandresh Patel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • You must first install and configure HashiCorp Vault if have not already done so.
  • Now you can create specific AppRole for FlexDeploy authentication. Use proper role name, for example flexdeploy-role.

  • AppRole specific to FlexDeploy must have policy assigned that allows FlexDeploy to read specific secrets necessary. Note that FlexDeploy only needs read permission. Example policy file

    Code Block
    titleExamplay Policy File
    path "kv/*" 
{
   capabilities = ["read", "update"]
}
path "sys/mounts" 
{
   capabilities = ["read"]
} 
path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "list"]
}


  • You will need role id and secret id for this AppRole for configuration in FlexDeploy.

...

Here are the configurations necessary for this store.

Property NameNotesExample
Vault URL

HTTP URL for REST service calls.

If you use https protocol then make sure to configure KeyStore (default java or application server keystore) with proper certificates.

http://myvault.mycompany.com:8200
App Role PathApp role path for authentication. This will default to approle and it should be sufficient.approle
Role IdYou will create approle for FlexDeploy to authenticate against vault, provide role id here.as per your Vault configurations
Secret IdYou will create approle for FlexDeploy to authenticate against vault, provide secret id here.as per your Vault configurations
Engine VersionEngine version for secrets. This will default to 2, you can change if necessary.1 or 2

Now you are ready to create individual credential to be retrieved from Vault.

You can create or edit credentials from Credentials page or from where specific credential is used.

Image Added

HashiCorp Credential requires two inputs as described below. Keep in mind that AppRole created for FlexDeploy must have read access to paths defined by various credentials.

Input NameNotes
Secrets PathPath to secrets in HashiCorp Vault. For example, kv/DEV/Database/apps
Key NameKey name for secret value.

Here is how edit credential looks like.

Image Added

Create credential looks similar except you need to provide Scope as well. Scope can not changed once credential is saved.

Image Added

You can change credential inputs (Secrets Path, Key Name) at any point. FlexDeploy will use these inputs with credential store properties like URL, Role and Secret id to retrieve individual credential for use during Workflow Execution.