Enable KV Secrets Engine

Vault KV-V2 Secrets Engine

To enable the KV Secrets Engine for Vault:

1. Run the command vault secrets enable kv-v2 to enable the KV Secrets Engine. V2 is the recommended version for Vault.

   Figure 1: Enable KV Engine

   

2. Navigate to /opt/pronghorn/current and edit the properties.json file with the location of the token.txt file. More information on the token file can be found in the Vault properties section below.

   Figure 2: Edit Properties

   

Configure Vault Properties

To use Vault, there must be a vaultProps section within the properties.json file.

The vaultProps section is configured with the following properties:

"vaultProps": {
    "url": "http://localhost:8200",
    "token": "/opt/vault/token.txt",
    "endpoint": "kv-v2/data",
    "readOnly": false
  }

Since pathing to the Secrets Engine can be whatever you set as a unique endpoint, the following URL sample is presented with v1 as a hard-coded file path in IAP where the actual vault token is stored.

Example: URL Structure

http://localhost:8200/v1/kv-v2/data

Configuring Read Only in Vault Props

Beginning with the 2021.2 release, a readOnly property was added to vaultProps in the properties.json file. This property allows developers to denote fields that contain sensitive data and manage how secret data is written to Vault. This configurable property defaults to false.

When set as readOnly: true, the following will occur:

• Masking in the UI will be disabled (turned off).
• Clear text will be shown.
• All custom user decorations will be ignored.
• IAP will not write data to Vault.

⚠ WARNING: If there are passwords stored within Vault and the readOnly property is initially set to false, and then later changed to true, all passwords will be lost and have to be set manually.

Related Reading

For more information on Vault:

• See the official HashiCorp Vault Secrets Engine documentation.

• Refer to the Secrets Engines tutorial.