HashiCorp Vault secret provider¶
HashiCorp Vault secret provider brings secrets from the KeyValue secret engine to your application.
⛔ Supports synchronous secret retrieval.
Installation¶
Adding secrets from HashiCorp Vault into the secret store requires following package;
`Install-Package GridLab.Abp.Security.Providers.HashiCorpVault`
Configuration¶
After installing the package, the additional extensions becomes available when building the secret store.
using Microsoft.Extensions.Hosting;
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args)
{
return Host.CreateDefaultBuilder(args)
.ConfigureSecretStore((context, config, builder) =>
{
// Adding the HashiCorp Vault secret provider with the built-in overloads.
// =======================================================================
// UserPass authentication built-in overload:
// ------------------------------------------
builder.AddHashiCorpVaultWithUserPass(
// URI where the HashiCorp Vault is running.
vaultServerUriWithPort: "https://uri.to.your.running.vault:5200",
// Username/Password combination to authenticate with the vault.
username: "admin",
password: "s3cr3t",
// Path where the secrets are stored in the KeyValue secret engine.
secretPath: "my-secrets"
);
// Following defaults can be overridden:
// Mount point of UserPass authentication (default: userpass).
builder.AddHashiCorpVaultWithUserPass(..., options => options.UserPassMountPoint: "myuserpass");
// Version of the KeyValue secret engine (default: V2).
builder.AddHashiCorpVaultWithUserPass(..., options => options.KeyValueVersion: VaultKeyValueSecretEngineVersion.V1);
// Mount point of KeyValue secret engine (default: kv-v2).
builder.AddHashiCorpVaultWithUserPass(..., options => options.KeyValueMountPoint: "secret");
// Adding the HashiCorp Vault secret provider with UserPass authentication, using `-` instead of `:` when looking up secrets.
// Example - When looking up `Foo:Bar` it will be changed to `Foo-Bar`.
builder.AddHashiCorpVaultWithUserPass(..., mutateSecretName: secretName => secretName.Replace(":", "-"));
// Providing an unique name to this secret provider so it can be looked up later.
// See: "Retrieve a specific secret provider from the secret store"
builder.AddHashiCorpVault(..., name: "HashiCorp");
// Kubernetes authentication built-in overload:
// --------------------------------------------
builder.AddHashiCorpVaultWithKubernetes(
// URI where the HashiCorp Vault is running.
vaultServerUriWithPort: "https://uri.to.your.running.vault:5200",
// Role name of the Kubernetes service account.
roleName: "admin",
// JSON web token (JWT) of the Kubernetes service account,
jwt: "ey.xxx.xxx",
// Path where the secrets are stored in the KeyValue secret engine.
secretPath: "my-secrets"
);
// Mount point of Kubernetes authentication (default: kubernetes).
builder.AddHashiCorpVaultWithKubernetes(..., options => options.KubernetesMountPoint: "mykubernetes");
// Version of the KeyValue secret engine (default: V2).
builder.AddHashiCorpVaultWithKubernetes(..., options => options.KeyValueVersion: VaultKeyValueSecretEngineVersion.V1);
// Mount point of KeyValue secret engine (default: kv-v2).
builder.AddHashiCorpVaultWithKubernetes(..., options => options.KeyValueMountPoint: "secret");
// Adding the HashiCorp Vault secret provider with Kubernetes authentication, using `-` instead of `:` when looking up secrets.
// Example - When looking up `Foo:Bar` it will be changed to `Foo-Bar`.
builder.AddHashiCorpVaultWithKubernetes(..., mutateSecretName: secretName => secretName.Replace(":", "-"));
// Providing an unique name to this secret provider so it can be looked up later.
// See: "Retrieve a specific secret provider from the secret store"
builder.AddHashiCorpVault(..., name: "HashiCorp");
// Custom settings overload for when using the [VaultSharp](https://github.com/rajanadar/VaultSharp) settings directly:
// --------------------------------------------------------------------------------------------------------------------
var tokenAuthentication = new TokenAuthMethodInfo("token");
var settings = VaultClientSettings("http://uri.to.your.running.vault.5200", tokenAuthentication);
builder.AddHashiCorpVault(
settings,
// Path where the secrets are stored in the KeyValue secret engine.
secretPath: "my-secrets");
// Version of the KeyValue secret engine (default: V2).
builder.AddHashiCorpVault(..., options => options.KeyValueVersion: VaultKeyValueSecretEngineVersion.V1);
// Mount point of KeyValue secret engine (default: kv-v2).
builder.AddHashiCorpVault(..., options => options.KeyValueMountPoint: "secret");
// Adding the HashiCorp Vault secret provider, using `-` instead of `:` when looking up secrets.
// Example - When looking up `Foo:Bar` it will be changed to `Foo-Bar`.
builder.AddHashiCorpVault(..., mutateSecretName: secretName => secretName.Replace(":", "-"));
// Providing an unique name to this secret provider so it can be looked up later.
// See: "Retrieve a specific secret provider from the secret store"
builder.AddHashiCorpVault(..., name: "HashiCorp");
})
.ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
}
}