Hashicorp Vault

• Authentication & Configuration
  • AppRole
  • JWT
  • Kubernetes
  • Using Vault CLI
• AWS Secret Engine
• Key Value v2
• Key Value v1

Authentication & Configuration

The Vault authentication methods AppRole, Kubernetes, JWT are supported. They are configured in the .novops.yml configuration file.

You can generate the Vault token externally by using the Vault CLI directly as in section using Vault CLI

Example of JWT authentication:

config:
  hashivault:
    address: http://localhost:8200
    auth:
      type: JWT
      role: novops-project
      mount_path: gitlab

The following configuration parameters are required when configuring Vault authentication:

AppRole

config:
  hashivault:
    address: http://localhost:8200
    auth:
      type: AppRole
      role: novops-project
      # The role id can also be informed by the environment variable VAULT_AUTH_ROLE_ID
      role_id: <uuid>
      # The secret id path to read the secret from. 
      # The secret id can also be informed by the environment variable VAULT_AUTH_SECRET_ID
      secret_id_path: /path/to/secret

The environment variable VAULT_AUTH_SECRET_ID can also be used to inform the secret id.

The AppRole can be created without a secret bound to it, in this case the secret id is not required to be informed.

JWT

config:
  hashivault:
    address: http://localhost:8200
    auth:
      type: JWT
      role: novops-project
      mount_path: gitlab
      # The path to read the jwt token from.
      # The token can be informed by the environment variable VAULT_AUTH_JWT_TOKEN
      token_path: /path/to/token

Kubernetes

config:
  hashivault:
    address: http://localhost:8200
    auth:
      type: Kubernetes
      role: novops-project
      mount_path: kubernetes

Using Vault CLI

Authenticating with vault CLI is enough. You can also use environment variables

VAULT_ADDR=https://vault.company.org
VAULT_TOKEN="xxx"

Or specify address or token path in .novops.yml via root config element

config:
  hashivault:
    address: http://localhost:8200
    token_path: /path/to/token

Hashicorp Vault uses tokens for authenticated entities. You can use any authentication method (vault login, web UI/API...) to get a valid token.

Novops will load token in this order:

• VAULT_TOKEN environment variable
• token_path in .novops.yml
• Local file ~/.vault-token (generated by default with vault login)

Generally, VAULT_* environment variables available for vault CLI will also work with Novops.

AWS Secret Engine

AWS Secret Engine generates temporary STS credentials. Maps directly to Generate Credentials API.

Outputs environment variables used by most AWS SDKs and tools:

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_SESSION_TOKEN

environments:
  dev:
    hashivault:
      aws:
        mount: aws
        name: dev_role
        role_arn: arn:aws:iam::111122223333:role/dev_role
        role_session_name: dev-session
        ttl: 2h

Key Value v2

Hashicorp Vault Key Value Version 2 with variables and files:

environment:
  dev:
    variables:
      - name: APP_PASSWORD
        value:
          hvault_kv2:
            mount: "secret"
            path: "myapp/dev/creds"
            key: "password"

    files:
      - name: SECRET_TOKEN
        dest: .token
        content:
          hvault_kv2:
            path: "myapp/dev/creds"
            key: "token"

Key Value v1

Hashicorp Vault Key Value Version 1 with variables and files:

environments:
  dev:
    variables:
      - name: APP_PASSWORD
        value:
          hvault_kv1:
            path: app/dev
            key: password
            mount: kv1 # Override secret engine mount ('secret' by default)
    
    files:
      - variable: APP_TOKEN
        content:
          hvault_kv1:
            path: app/dev
            key: token