HashiCorp Vault secret provider
HashiCorp Vault secret provider brings secrets from the KeyValue secret engine to your application.
Installation#
Adding secrets from HashiCorp Vault into the secret store requires following package:
PM > Install-Package Arcus.Security.Providers.HashiCorpConfiguration#
After installing the package, the additional extensions becomes available when building the secret store.
using Microsoft.Extensions.Hosting;
public class Program{ public static void Main(string[] args) { CreateHostBuilder(args).Build().Run(); }
public static IHostBuilder CreateHostBuilder(string[] args) { return Host.CreateDefaultBuilder(args) .ConfigureSecretStore((context, config, builder) => { // Adding the HashiCorp Vault secret provider with the built-in overloads. // ======================================================================= // UserPass authentication built-in overload: // ------------------------------------------ builder.AddHashiCorpVaultWithUserPass( // URI where the HashiCorp Vault is running. vaultServerUriWithPort: "https://uri.to.your.running.vault:5200", // Username/Password combination to authenticate with the vault. username: "admin", password: "s3cr3t", // Path where the secrets are stored in the KeyValue secret engine. secretPath: "my-secrets" );
// Following defaults can be overridden:
// Mount point of UserPass authentication (default: userpass). builder.AddHashiCorpVaultWithUserPass(..., options => options.UserPassMountPoint: "myuserpass");
// Version of the KeyValue secret engine (default: V2). builder.AddHashiCorpVaultWithUserPass(..., options => options.KeyValueVersion: VaultKeyValueSecretEngineVersion.V1);
// Mount point of KeyValue secret engine (default: kv-v2). builder.AddHashiCorpVaultWithUserPass(..., options => options.KeyValueMountPoint: "secret");
// Adding the HashiCorp Vault secret provider with UserPass authentication, using `-` instead of `:` when looking up secrets. // Example - When looking up `Foo:Bar` it will be changed to `Foo-Bar`. builder.AddHashiCorpVaultWithUserPass(..., mutateSecretName: secretName => secretName.Replace(":", "-"));
// Providing an unique name to this secret provider so it can be looked up later. // See: "Retrieve a specific secret provider from the secret store" builder.AddHashiCorpVault(..., name: "HashiCorp");
// Kubernetes authentication built-in overload: // -------------------------------------------- builder.AddHashiCorpVaultWithKubernetes( // URI where the HashiCorp Vault is running. vaultServerUriWithPort: "https://uri.to.your.running.vault:5200", // Role name of the Kubernetes service account. roleName: "admin", // JSON web token (JWT) of the Kubernetes service account, jwt: "ey.xxx.xxx", // Path where the secrets are stored in the KeyValue secret engine. secretPath: "my-secrets" );
// Mount point of Kubernetes authentication (default: kubernetes). builder.AddHashiCorpVaultWithKubernetes(..., options => options.KubernetesMountPoint: "mykubernetes");
// Version of the KeyValue secret engine (default: V2). builder.AddHashiCorpVaultWithKubernetes(..., options => options.KeyValueVersion: VaultKeyValueSecretEngineVersion.V1);
// Mount point of KeyValue secret engine (default: kv-v2). builder.AddHashiCorpVaultWithKubernetes(..., options => options.KeyValueMountPoint: "secret");
// Adding the HashiCorp Vault secret provider with Kubernetes authentication, using `-` instead of `:` when looking up secrets. // Example - When looking up `Foo:Bar` it will be changed to `Foo-Bar`. builder.AddHashiCorpVaultWithKubernetes(..., mutateSecretname: secretName => secretName.Replace(":", "-"));
// Providing an unique name to this secret provider so it can be looked up later. // See: "Retrieve a specific secret provider from the secret store" builder.AddHashiCorpVault(..., name: "HashiCorp");
// Custom settings overload for when using the [VaultSharp](https://github.com/rajanadar/VaultSharp) settings directly: // -------------------------------------------------------------------------------------------------------------------- var tokenAuthentication = new TokenAuthMethodInfo("token"); var settings = VaultClientSettings("http://uri.to.your.running.vault.5200", tokenAuthentication); builder.AddHashiCorpVault( settings, // Path where the secrets are stored in the KeyValue secret engine. secretPath: "my-secrets");
// Version of the KeyValue secret engine (default: V2). builder.AddHashiCorpVault(..., options => options.KeyValueVersion: VaultKeyValueSecretEngineVersion.V1);
// Mount point of KeyValue secret engine (default: kv-v2). builder.AddHashiCorpVault(..., options => options.KeyValueMountPoint: "secret");
// Adding the HashiCorp Vault secret provider, using `-` instead of `:` when looking up secrets. // Example - When looking up `Foo:Bar` it will be changed to `Foo-Bar`. builder.AddHashiCorpVault(..., mutateSecretName: secretName => secretName.Replace(":", "-"));
// Providing an unique name to this secret provider so it can be looked up later. // See: "Retrieve a specific secret provider from the secret store" builder.AddHashiCorpVault(..., name: "HashiCorp");
// Additional settings: // -------------------
// Tracking the HashiCorp Vault dependency which works well together with Application Insights (default: `false`). // See https://observability.arcus-azure.net/features/writing-different-telemetry-types#measuring-custom-dependencies for more information. builder.AddHashiCorpVault(..., options => options.TrackDependency = true); }) .ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>()); }}