Hashicorp Vault
Authentication & Configuration
The Vault authentication methods AppRole, Kubernetes, JWT are supported.
They are configured in the .novops.yml configuration file.
You can generate the Vault token externally by using the Vault CLI directly as in section using Vault CLI
Example of JWT authentication:
config:
hashivault:
address: http://localhost:8200
auth:
type: JWT
role: novops-project
mount_path: gitlab
The following configuration parameters are required when configuring Vault authentication:
| Parameter | Value | Description |
|---|---|---|
| type | AppRole Kubernetes JWT | Authentication type to use |
| role | The Vault role to inform on Vault login |
AppRole
config:
hashivault:
address: http://localhost:8200
auth:
type: AppRole
role: novops-project
# The role id can also be informed by the environment variable VAULT_AUTH_ROLE_ID
role_id: <uuid>
# The secret id path to read the secret from.
# The secret id can also be informed by the environment variable VAULT_AUTH_SECRET_ID
secret_id_path: /path/to/secret
The environment variable VAULT_AUTH_SECRET_ID can also be used to inform the secret id.
The AppRole can be created without a secret bound to it, in this case the secret id is not required to be informed.
JWT
config:
hashivault:
address: http://localhost:8200
auth:
type: JWT
role: novops-project
mount_path: gitlab
# The path to read the jwt token from.
# The token can be informed by the environment variable VAULT_AUTH_JWT_TOKEN
token_path: /path/to/token
Kubernetes
config:
hashivault:
address: http://localhost:8200
auth:
type: Kubernetes
role: novops-project
mount_path: kubernetes
Using Vault CLI
Authenticating with vault CLI is enough. You can also use environment variables
VAULT_ADDR=https://vault.company.org
VAULT_TOKEN="xxx"
Or specify address or token path in .novops.yml via root config element
config:
hashivault:
address: http://localhost:8200
token_path: /path/to/token
Hashicorp Vault uses tokens for authenticated entities. You can use any authentication method (vault login, web UI/API...) to get a valid token.
Novops will load token in this order:
VAULT_TOKENenvironment variabletoken_pathin.novops.yml- Local file
~/.vault-token(generated by default withvault login)
Generally, VAULT_* environment variables available for vault CLI will also work with Novops.
AWS Secret Engine
AWS Secret Engine generates temporary STS credentials. Maps directly to Generate Credentials API.
Outputs environment variables used by most AWS SDKs and tools:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_SESSION_TOKEN
environments:
dev:
hashivault:
aws:
mount: aws
name: dev_role
role_arn: arn:aws:iam::111122223333:role/dev_role
role_session_name: dev-session
ttl: 2h
Namespaces
To use Vault namespace you can set namespace config such as:
config:
hashivault:
address: http://localhost:8200
namespace: my-namespace/child-ns
Alternatively specify namespace directly in secret path as described in Vault doc.
Key Value v2
Hashicorp Vault Key Value Version 2 with variables and files:
environment:
dev:
variables:
- name: APP_PASSWORD
value:
hvault_kv2:
mount: "secret"
path: "myapp/dev/creds"
key: "password"
files:
- name: SECRET_TOKEN
dest: .token
content:
hvault_kv2:
path: "myapp/dev/creds"
key: "token"
Key Value v1
Hashicorp Vault Key Value Version 1 with variables and files:
environments:
dev:
variables:
- name: APP_PASSWORD
value:
hvault_kv1:
path: app/dev
key: password
mount: kv1 # Override secret engine mount ('secret' by default)
files:
- variable: APP_TOKEN
content:
hvault_kv1:
path: app/dev
key: token