Itential Automation GatewayDeploy and manageConfigure and manage integrations

HashiCorp Vault integration

To manage secrets and help protect data, Itential Automation Gateway (IAG) supports HashiCorp Vault, a secrets management tool that secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets along with key revocation, key rolling, and auditing. HashiCorp Vault also provides secrets-as-a-service through a unified API. For more information, visit HashiCorp Learn.

IAG contains a Script Execution Engine that interacts with the key-value secrets stored in HashiCorp Vault. The AG server can fetch secrets stored on a Vault server at runtime and pass the values as command line arguments or environment variables when executing a script.

Sample script

Below is a sample Python script that takes one command line argument.

1#!/usr/bin/env python
2
3import sys
4
5if len(sys.argv) > 1:
6  print(f"The secret of foo is {sys.argv[1]}.")
7else:
8  print("No secret argument passed in")

User schema decoration

To use a Vault secret, you first need to add a user schema to the script. Assuming the script is named python_secret_demo.py, you can add the schema below to this script. See Manage decorations for more information on how a user schema works.

1{
2    "schema": {
3        "title": "schema for python secret",
4        "type": "object",
5        "properties": {
6            "foo": {
7                "type": "secret"
8            }
9        },
10        "script_argument_order": ["foo"]
11    }
12}

Here we define a parameter named foo with type secret. This parameter also needs to be part of script_argument_order.

Sample script payload

Assume the Vault secret you want to fetch is saved in path hello with key name foo. To execute the script with a secret, run POST /api/v2.0/scripts/python_secret_demo.py/execute with the following payload.

1{
2  "args": {
3    "foo": {
4      "path": "hello",
5      "key_name": "foo"
6    }
7  },
8  "env": {},
9  "hosts": []
10}

Sample response object

Below is the response object you get from the above example. The secret of foo is bar in this case.

1[
2    {
3        "status": "SUCCESS",
4        "stdout": "The secret of foo is bar.\n",
5        "stderr": "",
6        "command": "/app/devtools/scripts/python_secret_demo.py bar",
7        "env": [],
8        "msg": "",
9        "argument_warnings": null,
10        "env_warnings": null,
11        "working_directory": "/root",
12        "raw_result": {
13            "rc": 0
14        }
15    }
16]

This feature may have different behavior between releases.

Execute script from IAG UI

If you are executing the script from the IAG web interface, after you add the user schema to the script, a blue triangle will appear on the left of python_secret_demo.py.

Script list showing python_secret_demo.py with user schema indicator

When the Scripts list is too long for the navigation menu, a scrollbar is displayed. Also, if the script name is very long, an ellipsis is used to reflect there is overflow text.

On the Execute tab, you can run the script by filling the path and key_name without a quote. The response object is the same as executing from the API.

Execute tab showing path and key_name fields with response output

Configure Vault AppRole authentication

Beginning with the 4.3.0 release, Itential Automation Gateway (IAG) includes support for HashiCorp Vault AppRole authentication for retrieving secrets to validate requests from clients. This involves enabling approle and providing the role_id and secret_id. The role_id is analogous to a username while the secret_id is like a password.

Related reading:

1

Create a Vault policy

Create a Vault policy in HashiCorp for the role you are going to create. The example below creates a policy called "aaapasfpassword only". The policy allows login to HashiCorp Vault, and also allows read access to a kv-v2 engine secret called "aaaPSFPassword".

Vault policy configuration in HashiCorp
2

Enable the HashiCorp AppRole authentication method

Enable the HashiCorp AppRole access control authentication method.

Enabling the AppRole authentication method
3

Create an AppRole connected to the policy

In terminal, create an AppRole connected to the policy.

$vault write auth/approle/role/my-psf-password-role \
>policies="aaapsfpassword only" \
>secret_id_ttl=10m \
>token_ttl=1h \
>token_max_ttl=4h
4

Get the role_id for the new AppRole role

Get the role_id for the new AppRole role. Copy and paste the role_id into the Vault Role ID field on the IAG Vault Configuration form.

$vault read auth/approle/role/my-psf-password-role/role-id
$
$Key        Value
$---        -----
$role_id    5b8c2892-c9d1-2f6e-669b-fe6ae8ce393f
5

Get the secret_id for the AppRole

Get the secret_id for the AppRole. Copy and paste into the Vault Secret ID field on the IAG Vault configuration form.

$vault write -f auth/approle/role/my-psf-password-role/secret-id
$
$Key                   Value
$---                   -----
$secret_id             6929696d-3078-ac07-3d17-a556c26da23d
$secret_id_accessor    268383a3-2345-301f-945e-d42c13a9d8b1
$secret_id_ttl         10m
6

Select the Vault AppRole Auth checkbox

Select the Vault AppRole Auth checkbox on the IAG Vault configuration form.

7

Modify the Vault Server and Vault Access Token fields

Modify the Vault Server and Vault Access Token fields to the exact paths.

8

Save your changes

Save your changes. A banner displays to confirm the configuration successfully updated.

Configuration successfully updated banner

You can return to terminal to observe Authenticating using Vault AppRole credentials.

Terminal output showing AppRole authentication in use

AppRole credentials take precedence over tokens; when AppRole is enabled, the system uses these credentials to connect to the Vault server. If AppRole is not enabled, the system falls back to using token-based authentication.

IAG configuration with AppRole authentication disabled
Terminal output showing token-based authentication fallback