HashiCorp Vault

Detailed information on the HashiCorp Vault secret store component

Create the Vault component

To setup HashiCorp Vault secret store create a component of type secretstores.hashicorp.vault. See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: vault
  5. spec:
  6. type: secretstores.hashicorp.vault
  7. version: v1
  8. metadata:
  9. - name: vaultAddr
  10. value: [vault_address] # Optional. Default: "https://127.0.0.1:8200"
  11. - name: caCert # Optional. This or caPath or caPem
  12. value: "[ca_cert]"
  13. - name: caPath # Optional. This or CaCert or caPem
  14. value: "[path_to_ca_cert_file]"
  15. - name: caPem # Optional. This or CaCert or CaPath
  16. value : "[encoded_ca_cert_pem]"
  17. - name: skipVerify # Optional. Default: false
  18. value : "[skip_tls_verification]"
  19. - name: tlsServerName # Optional.
  20. value : "[tls_config_server_name]"
  21. - name: vaultTokenMountPath # Required if vaultToken not provided. Path to token file.
  22. value : "[path_to_file_containing_token]"
  23. - name: vaultToken # Required if vaultTokenMountPath not provided. Token value.
  24. value : "[path_to_file_containing_token]"
  25. - name: vaultKVPrefix # Optional. Default: "dapr"
  26. value : "[vault_prefix]"
  27. - name: vaultKVUsePrefix # Optional. default: "true"
  28. value: "[true/false]"
  29. - name: enginePath # Optional. default: "secret"
  30. value: "secret"
  31. - name: vaultValueType # Optional. default: "map"
  32. value: "map"

Warning

The above example uses secrets as plain strings. It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.

Spec metadata fields

FieldRequiredDetailsExample
vaultAddrNThe address of the Vault server. Defaults to https://127.0.0.1:8200https://127.0.0.1:8200
caPemNThe inlined contents of the CA certificate to use, in PEM format. If defined, takes precedence over caPath and caCert.See below
caPathNThe path to a folder holding the CA certificate file to use, in PEM format. If the folder contains multiple files, only the first file found will be used. If defined, takes precedence over caCert.“path/to/cacert/holding/folder”
caCertNThe path to the CA certificate to use, in PEM format.“”path/to/cacert.pem”
skipVerifyNSkip TLS verification. Defaults to “false”“true”, “false”
tlsServerNameNThe name of the server requested during TLS handshake in order to support virtual hosting. This value is also used to verify the TLS certificate presented by Vault server.“tls-server”
vaultTokenMountPathYPath to file containing token“path/to/file”
vaultTokenYToken for authentication within Vault.“tokenValue”
vaultKVPrefixNThe prefix in vault. Defaults to “dapr”“dapr”, “myprefix”
vaultKVUsePrefixNIf false, vaultKVPrefix is forced to be empty. If the value is not given or set to true, vaultKVPrefix is used when accessing the vault. Setting it to false is needed to be able to use the BulkGetSecret method of the store.“true”, “false”
enginePathNThe engine path in vault. Defaults to “secret”“kv”, “any”
vaultValueTypeNVault value type. map means to parse the value into map[string]string, text means to use the value as a string. ‘map’ sets the multipleKeyValuesPerSecret behavior. text makes Vault behave as a secret store with name/value semantics. Defaults to “map”“map”, “text”

Optional per-request metadata properties

The following optional query parameters can be provided to Hashicorp Vault secret store component:

Query ParameterDescription
metadata.version_idVersion for the given secret key.

Setup Hashicorp Vault instance

Setup Hashicorp Vault using the Vault documentation: https://www.vaultproject.io/docs/install/index.html.

For Kubernetes, you can use the Helm Chart: https://github.com/hashicorp/vault-helm.

Multiple key-values per secret

HashiCorp Vault supports multiple key-values in a secret. While this behavior is ultimately dependent on the underlying secret engine configured by enginePath, it may change the way you store and retrieve keys from Vault. For instance, multiple key-values in a secret is the behavior exposed in the secret engine, the default engine configured by the enginePath field.

When retrieving secrets, a JSON payload is returned with the key names as fields and their respective values.

Suppose you add a secret to your Vault setup as follows:

  1. vault kv put secret/dapr/mysecret firstKey=aValue secondKey=anotherValue thirdKey=yetAnotherDistinctValue

In the example above, the secret is named mysecret and it has 3 key-values under it. Observe that the secret is created under a dapr prefix, as this is the default value for the vaultKVPrefix flag. Retrieving it from Dapr would result in the following output:

  1. $ curl http://localhost:3501/v1.0/secrets/my-hashicorp-vault/mysecret
  1. {
  2. "firstKey": "aValue",
  3. "secondKey": "anotherValue",
  4. "thirdKey": "yetAnotherDistinctValue"
  5. }

Notice that the name of the secret (mysecret) is not repeated in the result.

TLS Server verification

The fields skipVerify, tlsServerName, caCert, caPath, and caPem control if and how Dapr verifies the vault server’s certificate while connecting using TLS/HTTPS.

Inline CA PEM caPem

The caPem field value should be the contents of the PEM CA certificate you want to use. Given PEM certificates are made of multiple lines, defining that value might seem challenging at first. YAML allows for a few ways of defining a multiline values.

Below is one way to define a caPem field.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: vault
  5. spec:
  6. type: secretstores.hashicorp.vault
  7. version: v1
  8. metadata:
  9. - name: vaultAddr
  10. value: https://127.0.0.1:8200
  11. - name: caPem
  12. value: |-
  13. -----BEGIN CERTIFICATE-----
  14. << the rest of your PEM file content's here, indented appropriately. >>
  15. -----END CERTIFICATE-----

Last modified March 21, 2024: Merge pull request #4082 from newbe36524/v1.13 (f4b0938)