HashiCorp Vault

Configuration

HashiCorp Vault can be configured with environment variables or with a Vault entity.

Environment variables

  1. export KONG_VAULT_HCV_PROTOCOL=<protocol(http|https)>
  2. export KONG_VAULT_HCV_HOST=<hostname>
  3. export KONG_VAULT_HCV_PORT=<portnumber>
  4. export KONG_VAULT_HCV_MOUNT=<mountpoint>
  5. export KONG_VAULT_HCV_KV=<v1|v2>
  6. export KONG_VAULT_HCV_TOKEN=<tokenstring>

You can also store this information in an entity.

Entity

The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.

Admin API

Declarative configuration

cURL

HTTPie

  1. curl -i -X PUT http://HOSTNAME:8001/vaults/my-hashicorp-vault \
  2.   --data name="hcv" \
  3.   --data description="Storing secrets in HashiCorp Vault" \
  4.   --data config.protocol="https" \
  5.   --data config.host="localhost" \
  6.   --data config.port="8200" \
  7.   --data config.mount="secret" \
  8.   --data config.kv="v2" \
  9.   --data config.token="<mytoken>"
  1. http -f PUT :8001/vaults/my-hashicorp-vault \
  2.   name="hcv" \
  3.   description="Storing secrets in HashiCorp Vault" \
  4.   config.protocol="https" \
  5.   config.host="localhost" \
  6.   config.port="8200" \
  7.   config.mount="secret" \
  8.   config.kv="v2" \
  9.   config.token="<mytoken>"

Result:

  1. {
  2.     "config": {
  3.         "host": "localhost",
  4.         "kv": "v2",
  5.         "mount": "secret",
  6.         "port": 8200,
  7.         "protocol": "https",
  8.         "token": "<mytoken>"
  9.     },
  10.     "created_at": 1645008893,
  11.     "description": "Storing secrets in HashiCorp Vault",
  12.     "id": "0b43d867-05db-4bed-8aed-0fccb6667837",
  13.     "name": "hcv",
  14.     "prefix": "my-hashicorp-vault",
  15.     "tags": null,
  16.     "updated_at": 1645008893
  17. }

Secrets management is supported in decK 1.16 and later.

Add the following snippet to your declarative configuration file:

  1. _format_version: "3.0"
  2. vaults:
  3. - config:
  4.     host: localhost
  5.     kv: v2
  6.     mount: secret
  7.     port: 8200
  8.     protocol: https
  9.     token: <mytoken>
  10.   description: Storing secrets in HashiCorp Vault
  11.   name: hcv
  12.   prefix: my-hashicorp-vault

Examples

For example, let’s say you’ve configured a HashiCorp Vault with a path of secret/hello and a key=value pair of foo=world:

  1. vault kv put secret/hello foo=world
  3. Key                Value
  4. ---                -----
  5. created_time       2022-01-15T01:40:03.740833Z
  6. custom_metadata    <nil>
  7. deletion_time      n/a
  8. destroyed          false
  9. version            1

Access these secrets like this:

  1. {vault://hcv/hello/foo}

Or if you configured an entity

  1. {vault://my-hashicorp-vault/hello/foo}