Accessing Hashicorp Vault Secrets with Vault Functions (deprecated)
Data Collector can use Hashicorp Vault functions to access information, called secrets, stored in Hashicorp Vault.
You can use Vault secrets in place of username and password properties, similar properties such as AWS access key IDs and secret access keys, and in HTTP headers and bodies when using HTTPS.
To access Vault secrets using the Vault functions, configure properties for Data Collector to access Vault. Then, use Vault functions in the pipeline to access Vault at run time.
- Configure the Hashicorp Vault connection properties.
- In the pipeline, use Vault functions to access Hashicorp Vault secrets.
Step 1. Configure Hashicorp Vault Properties
To enable Data Collector to
connect to Hashicorp Vault, configure the following files located in the
$SDC_CONF
directory:
- Vault properties file
- The
vault.properties
file contains a single Vault EL property that you must uncomment to use the deprecated Vault functions. - Credential stores properties file
- The
credential-stores.properties
file contains the remaining Vault properties. The Vault server URL, Role ID, and Secret ID are required properties. Configure other properties as needed.Note: ThecredentialStore.vault.def
andcredentialStore.vault.config.pathKey.separator
properties are not used by the Vault functions. You can ignore these properties.
Restart Data Collector to enable the changes to both files.
Step 2. Call Hashicorp Vault from the Pipeline
After enabling Data Collector to access Hashicorp Vault, use the Vault functions in pipeline and stage properties to access Vault secrets.
The expression language provides Vault functions to return Vault secrets. You can use Vault functions in username, password, and similar properties such as AWS access key IDs and secret access keys. You can also use the functions in HTTP headers and bodies when using HTTPS.
- vault:read()
- Use to return the value for the Vault path and key that you provide. Typically, you'll use this function to access secrets.
- vault:readWithDelay()
- Use to return the value for the specified Vault path and key with a delay. Use this function to incorporate a delay in the response to allow time for other processes to complete.
For more information, see Miscellaneous Functions.