- 30 Mar 2024
-
DarkLight
-
PDF
Enable KV Secrets Engine
- Updated on 30 Mar 2024
-
DarkLight
-
PDF
Vault KV-V2 Secrets Engine
To enable the KV Secrets Engine for Vault:
-
Run the command
vault secrets enable kv-v2
to enable the KV Secrets Engine. V2 is the recommended version for Vault.Figure 1: Enable KV Engine
-
Navigate to
/opt/pronghorn/current
and edit theproperties.json
file with the location of the token.txt file. More information on the token file can be found in the Vault properties section below.Figure 2: Edit Properties
Configure Vault Properties
To use Vault, there must be a vaultProps
section within the properties.json file.
Property | Required | Default | Description |
---|---|---|---|
url | Yes | http://localhost:8200 |
The default URL to connect to Vault, including the hostname and port. |
token | Yes | /file/path/token.txt |
The file path to a document containing a token. The token is used for authentication to access Vault secrets. |
endpoint | Yes | secret/data |
The endpoint for the Secrets Engine type that is used. |
readOnly | Yes | false |
Used to manage how secret data is written to Vault. See the section below on how to configure the readOnly property. |
The vaultProps
section is configured with the following properties:
"vaultProps": {
"url": "http://localhost:8200",
"token": "/opt/vault/token.txt",
"endpoint": "kv-v2/data",
"readOnly": false
}
Since pathing to the Secrets Engine can be whatever you set as a unique endpoint, the following URL sample is presented with v1
as a hard-coded file path in IAP where the actual vault token is stored.
Example: URL Structure
http://localhost:8200/v1/kv-v2/data
Configuring Read Only in Vault Props
Beginning with the 2021.2 release, a readOnly
property was added to vaultProps
in the properties.json file. This property allows developers to denote fields that contain sensitive data and manage how secret data is written to Vault. This configurable property defaults to false
.
When set as readOnly: true
, the following will occur:
- Masking in the UI will be disabled (turned off).
- Clear text will be shown.
- All custom user decorations will be ignored.
- IAP will not write data to Vault.
⚠ WARNING: If there are passwords stored within Vault and the readOnly
property is initially set to false
, and then later changed to true
, all passwords will be lost and have to be set manually.
Related Reading
For more information on Vault:
-
See the official HashiCorp Vault Secrets Engine documentation.
-
Refer to the Secrets Engines tutorial.