Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Secrets Management

Configuring Hashicorp Vault Proxy with CSM

search

Please Note:

Configuring Hashicorp Vault Proxy with CSM

Prerequisites

  1. Install Hashi Vault on your machine. Refer this link for installation details.

  2. Run the below command to install Hashi Vault CLI.

        sudo apt update && sudo apt install vault

Steps

To configure Hashicorp Vault Proxy with CipherTrust Secrets Management (CSM), perform the following steps:

  1. Set akeyless-vault url in: VAULT_ADDR environment variable.

    Syntax

    export VAULT_ADDR=IP <CipherTrust Manager-IP>/akeyless-hvp/

    Example

    export VAULT_ADDR=https://54.224.103.148/akeyless-hvp/

  2. Configure the authentication token that will be used by Vault CLI to fetch secrets from Akeyless Vault. Set your Akeyless token in ~/.vault-token. Supported tokens: Permanent token must be in the following structure: Access-ID+..+Access-Key

    Example

        p-XXXXX..XXXXXXXXXXX

Getting dynamic secret using Vault CLI

To get dynamic secret using Vault CLI, run:

Syntax

vault read {producer-type}/creds/{full/path/to/producer-name}

The supported producer types:

"*"
"db"           
"mysql"
"mssql"
"mongodb"
"rdp"
"rabbitmq"
"chef"
"aws"
"azure"

Example Request 1

vault read */creds/prod/ds-db1
vault read db/creds/prod/ds-db1
vault read mysql/creds/prod/ds-db1

Example Response 1

Key                Value
---                -----
lease_id           */creds/prod/ds-db1/vTyDFRr5m01gVaNBYsokIRop
lease_duration     768h
lease_renewable    true
password           of6B6IY/~+i$$Z80
username           tmp.rnnds.hOKbRAqI5j

Example Request 2

vault read */creds/my-aws-producer
vault read aws/creds/my-aws-producer

Example Response 2 

Key                  Value
---                  -----
lease_id             */creds/my-aws-producer/25F5E8gupyoi2dQIynoM9nff
lease_duration       768h
lease_renewable      true
access_key_id        AKIA6IR7NIGBGGDIWW7I
secret_access_key    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
username             tmp.JJRXoSsvDuj1Dp

Working with static secrets

Creating/updating secret

To create a new static secret in Akeyless Vault, run:

vault kv put secret/{secret-name} {my-key}={my-value}

If a static secret already exists, then it will add a new version for that secret.

Getting details of secrets

To get the value of a secret from Akeyless Vault, run:

vault kv get secret/{secret-name}

To get a specific version of the secret, use the version flag.

Example

vault kv get -version=3 secret/{secret-name}

Default value is the latest version.

Deleting secrets

To delete a secret from Akeyless Vault, run:

vault kv delete secret/{secret-name}

To delete a list of specific versions from Akeyless Vault, use the versions flag, run:

Example

vault kv delete -versions=2,6,15 secret/{secret-name}

To delete all versions, set versions to 0 or -1.

Example

vault kv delete -versions=0 secret/{secret-name}

OR

vault kv delete -versions=-1 secret/{secret-name}

For more details, refer to Hashicorp Vault Proxy documentation.

On this page