EDG Integration with Hashicorp Vault

Install and configure Hashicorp Vault:

  1. Ensure the listener is using TLS

  2. Enable the key-value secrets engine

  3. Create an ACL policy called edg:

    path "kv/data/edg/secure-storage/*" {
       capabilities = [ "create", "read", "update", "delete" ]
    }
    
    path "kv/metadata/edg/secure-storage" {
       capabilities = [ "list" ]
    }
    
  4. Enable the AppRole or TLS Certificate auth method

  5. If using AppRole auth, do the following:

    1. Create an approle called edg that uses the edg policy:

      vault write auth/approle/role/edg token_policies="edg" token_ttl=1h token_max_ttl=4h
      
    2. Get the role-id for the edg approle:

      vault read auth/approle/role/edg/role-id
      
    3. Generate a secret-id for the edg approle:

      vault write -force auth/approle/role/edg/secret-id
      
  6. If using cert auth, do the following:

    1. Add a client certificate

    2. Add the edg policy to the certificate’s Generated Token’s Policies

  7. Edit the EDG setup file (edg-setup.properties):

    1. Add the vault type and vault URL:

      vaultType = Hashicorp
      hashicorpVaultURL = https://127.0.0.1:8200
      
    2. Add the data path and metadata path (from the edg policy)

      hashicorpVaultDataPath = kv/data/edg/secure-storage/
      hashicorpVaultMetadataPath = kv/metadata/edg/secure-storage
      
    3. If using AppRole auth, add the role-id and secret-id:

      hashicorpVaultAuthMethod = AppRole
      hashicorpVaultRoleId = <role-id>
      hashicorpVaultSecretId = <secret-id>
      

      See Reading values from files or environment variables for a technique that avoids storing the secret in plain text in the setup file.

    4. If using cert auth, enter the paths to the certificate and private key into EDG setup configuration:

      hashicorpVaultAuthMethod = TLS
      hashicorpVaultCertFile = <cert-file>
      hashicorpVaultKeyFile = <key-file>
      

See also