Creating a Secret Using the Vault UI

Creating a Secret Using the Vault UI

To create a secret within Vault:

1. Go to the Vault Server UI connected with IAP and login.

   Figure 1: Vault UI

   

2. Click anywhere on the KV bar.

   Figure 2: Secrets Engine KV Bar

   

3. Click the Create secret + button.

   Figure 3: Create Secret

   

4. Choose a path from the dropdown or enter manually. This must be unique, and it will be important for future steps.

5. Enter the number of versions to keep for the secret metadata.

6. In the key filed in the secret data section, enter the secret data information. For this example test_pass was used.

7. Click the eye icon (button) to make sure the information was added correctly. You can include multiple keys within one path, or use the Add button to enter additional secret data.

8. Click the Save button when you are finished.

   Figure 4: Save Secret

   

9. Secrets may be entered using JSON. The Version 1 dropdown menu pertains to the iteration of the secret entered not the version of the KV Vault Engine.

   Figure 5: JSON Toggle Switch

   

10. The newly created secret will appear alphabetically in the list. From the dropdown menu a variety of functions maybe peformed, such as deleting and viewing details.

    Figure 6: Secrets List

    

Adapters

To set encryption for Adapters:

1. Go to Admin Essentials, click the Adapters menu, and select an Adapter.

   Figure 7: Select Adapter

   

2. Within the adapter you selected, locate the value you would like to encrypt. Click the Advanced View toggle switch to see the JSON, which may be easier to edit.

   Figure 8: Advanced Configuration View

   

3. Remove the existing value. Replace it with "$SECRET_" and then the path within Vault to where that secret is stored, followed by " $KEY_" (HINT: there is a space before "$KEY") and the key within that path. An example would be "$SECRET_default_password $KEY_key" which will evaluate to "password".

   Figure 9: Edit Adapter

   

4. Click Save and the adapter will automatically restart using Vault to decrypt the changed property.

5. The adapter should appear in the list with a green status indicator and connection icons after restart.

   Figure 10: Adapter Connected

   

Profiles

To set encryption for Profiles:

1. Go to Admin Essentials, click the Profiles tab, and select the currently running profile.

2. Within this profile, click Configure, and then select one of the profile properties, such as RabbitMQ.

   Figure 11: Edit Profile Properties

   

3. Choose a RabbitMQ property to encrypt, such as "password".

4. Remove the existing value. Replace it with "$SECRET_" and then the path within Vault to where that secret is stored, followed by " $KEY_" (HINT: there is a space before "$KEY") and the key within that path. An example would be "$SECRET_default_password $KEY_key" which will evaluate to "password".

5. Save the profile.

   Figure 12: Save Profile Properties

   

6. Restart IAP for these changes to take effect.

Properties.json

To set encryption for a property:

1. Open the properties.json and select a property to encrypt, such as "mongoProps.credentials.passwd".

   ---

   Note: It is not possible to encrypt any of the vaultProps within the properties.json.

   ---

2. Remove the existing value. Replace it with "$SECRET_" and then the path within Vault to where that secret is stored, followed by " $KEY_" and the key within that path. An example would be "$SECRET_default_password $KEY_key" which will evaluate to "password".

3. Save the document.

4. Restart IAP for these changes to take effect.