EDG Integration with Hashicorp Vault
Install and configure Hashicorp Vault:
Ensure the listener is using TLS
Enable the key-value secrets engine
Create an ACL policy called
edg
:path "kv/data/edg/secure-storage/*" { capabilities = [ "create", "read", "update", "delete" ] } path "kv/metadata/edg/secure-storage" { capabilities = [ "list" ] }
Enable the AppRole or TLS Certificate auth method
If using AppRole auth, do the following:
Create an approle called
edg
that uses the edg policy:vault write auth/approle/role/edg token_policies="edg" token_ttl=1h token_max_ttl=4h
Get the role-id for the edg approle:
vault read auth/approle/role/edg/role-id
Generate a secret-id for the edg approle:
vault write -force auth/approle/role/edg/secret-id
If using cert auth, do the following:
Add a client certificate
Add the edg policy to the certificate’s Generated Token’s Policies
Edit the EDG setup file (
edg-setup.properties
):Add the vault type and vault URL:
vaultType = Hashicorp hashicorpVaultURL = https://127.0.0.1:8200
Add the data path and metadata path (from the edg policy)
hashicorpVaultDataPath = kv/data/edg/secure-storage/ hashicorpVaultMetadataPath = kv/metadata/edg/secure-storage
If using AppRole auth, add the
role-id
andsecret-id
:hashicorpVaultAuthMethod = AppRole hashicorpVaultRoleId = <role-id> hashicorpVaultSecretId = <secret-id>
See Reading values from files or environment variables for a technique that avoids storing the secret in plain text in the setup file.
If using cert auth, enter the paths to the certificate and private key into EDG setup configuration:
hashicorpVaultAuthMethod = TLS hashicorpVaultCertFile = <cert-file> hashicorpVaultKeyFile = <key-file>