EDG Integration with Hashicorp Vault

Install and configure Hashicorp Vault:

  1. Ensure the listener is using TLS

  2. Enable the key-value secrets engine

  3. Create an ACL policy called edg:

    path "kv/data/edg/secure-storage/*" {
       capabilities = [ "create", "read", "update", "delete" ]
    }
    
    path "kv/metadata/edg/secure-storage" {
       capabilities = [ "list" ]
    }
    
  4. Enable the AppRole or TLS Certificate auth method

  5. If using AppRole auth, do the following:

    1. Create an approle called edg that uses the edg policy:

      vault write auth/approle/role/edg token_policies="edg" token_ttl=1h token_max_ttl=4h
      
    2. Get the role-id for the edg approle:

      vault read auth/approle/role/edg/role-id
      
    3. Generate a secret-id for the edg approle:

      vault write -force auth/approle/role/edg/secret-id
      
  6. If using cert auth, do the following:

    1. Add a client certificate

    2. Add the edg policy to the certificate’s Generated Token’s Policies

  7. Edit the EDG setup file (edg-setup.properties):

    1. Add the vault type and vault URL:

      vaultType = Hashicorp
      hashicorpVaultURL = https://127.0.0.1:8200
      
    2. Add the data path and metadata path (from the edg policy)

      hashicorpVaultDataPath = kv/data/edg/secure-storage/
      hashicorpVaultMetadataPath = kv/metadata/edg/secure-storage
      
    3. If using AppRole auth, add the role-id and secret-id:

      hashicorpVaultAuthMethod = AppRole
      hashicorpVaultRoleId = <role-id>
      hashicorpVaultSecretId = <secret-id>
      

      Warning

      Storing secrets in plain text is a security risk and is strongly discouraged in production environments. Please use the syntax described in Reading values from files or environment variables to store it in an environment variable or a file on an encrypted volume. EDG will log a warning if this value is stored in plain text.

    4. If using cert auth, enter the paths to the certificate and private key into EDG setup configuration:

      hashicorpVaultAuthMethod = TLS
      hashicorpVaultCertFile = <cert-file>
      hashicorpVaultKeyFile = <key-file>
      

See also