Hashicorp Vault
  • Dark
    Light
  • PDF

Hashicorp Vault

  • Dark
    Light
  • PDF

Overview

To manage secrets and help protect data, Itential Automation Gateway now supports HashiCorp Vault, a secrets management tool that secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets along with key revocation, key rolling, and auditing. HashiCorp Vault also provides secrets-as-a-service through a unified API. For more information, please visit the HashiCorp Learn page.

Automation Gateway (AG) contains a Script Execution Engine that interacts with the key-value secrets stored in HashiCorp Vault. The AG server can fetch secrets stored on a Vault server at runtime and pass the values as command line arguments or environment variables when executing a script. Users need to provide Vault server connection parameters in their AG properties.yml configuration file.

Sample Script

Below is a sample Python script that takes one command line argument.

#!/usr/bin/env python

import sys

if len(sys.argv) > 1:
  print(f"The secret of foo is {sys.argv[1]}.")
else:
  print("No secret argument passed in")

User Schema Decoration

In order to use a Vault secret, you first need to add a user schema to the script. Assuming the script is named python_secret_demo.py, you can add the schema below to this script. Refer to the User Decorations guide for more detail on how a user schema works.

{
    "schema": {
        "title": "schema for python secret",
        "type": "object",
        "properties": {
            "foo": {
                "type": "secret"
            }
        },
        "script_argument_order": ["foo"]
    }
}

Here we define a parameter named foo with type secret. This parameter also needs to be part of script_argument_order .

Sample Script Payload

Assume the Vault secret you want to fetch is saved in path hello with key name foo. To execute the script with a secret, run POST /api/v2.0/scripts/python_secret_demo.py/execute with the following payload.

{
  "args": {
    "foo": {
      "path": "hello",
      "key_name": "foo"
    }
  },
  "env": {},
  "hosts": []
}

Sample Response Object

Below is the response object you get from the above example. The secret of foo is bar in this case.

[
    {
        "status": "SUCCESS",
        "stdout": "The secret of foo is bar.\n",
        "stderr": "",
        "command": "/app/devtools/scripts/python_secret_demo.py bar",
        "env": [],
        "msg": "",
        "argument_warnings": null,
        "env_warnings": null,
        "working_directory": "/root",
        "raw_result": {
            "rc": 0
        }
    }
]

Execute Script from IAG UI

If you are executing the script from the Automation Gateway (AG) web interface, after you add the user schema to the script, a blue triangle will appear on the left of python_secret_demo.py.

Figure 1: Execute Script from UI
01-script_ui

On the Execute tab, you can run the script by filling the path and key_name without a quote. The response object is the same as executing from the API.

Figure 2: Execute Script Result
02-script_ui_result


What's Next