FlexDeploy provides out of box integration with HashiCorp Vault to retrieve secrets. FlexDeploy will authenticate using AppRole authentication method against vault.
HashiCorp Vault Setup
- You must first install and configure HashiCorp Vault if have not already done so.
- Now you can create specific AppRole for FlexDeploy authentication.
AppRole specific to FlexDeploy must have policy assigned that allows FlexDeploy to read specific secrets necessary. Example policy file
Examplay Policy Filepath "kv/*" { capabilities = ["read", "update"] } path "sys/mounts" { capabilities = ["read"] } path "secret/*" { capabilities = ["create", "read", "update", "delete", "list"] }- You will need role id and secret id for this AppRole for configuration in FlexDeploy.
FlexDeploy Setup
You must first create Credential Store in FlexDeploy by clicking Create Store button on Administration - Security - Credentials page. Credential store represents instance of specific type of credential store provider. If you have more than one HashiCorp Vault installations, you will create equal number of Credential Stores in FlexDeploy.
Here are the configurations necessary for this store.
| Property Name | Notes | Example |
|---|---|---|
| Vault URL | HTTP URL for REST service calls. If you use https protocol then make sure to configure KeyStore (default java or application server keystore) with proper certificates. | http://myvault.mycompany.com:8200 |
| App Role Path | App role path for authentication. This will default to approle and it should be sufficient. | approle |
| Role Id | You will create approle for FlexDeploy to authenticate against vault, provide role id here. | as per your Vault configurations |
| Secret Id | You will create approle for FlexDeploy to authenticate against vault, provide secret id here. | as per your Vault configurations |
| Engine Version | Engine version for secrets. This will default to 2, you can change if necessary. | 1 or 2 |