Skip to main content
Version: v1.5.0

HashiCorp Vault secret provider

HashiCorp Vault secret provider brings secrets from the KeyValue secret engine to your application.

Installation

Adding secrets from HashiCorp Vault into the secret store requires following package:

PM > Install-Package Arcus.Security.Providers.HashiCorp

Configuration

After installing the package, the additional extensions becomes available when building the secret store.

using Microsoft.Extensions.Hosting;

public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}

public static IHostBuilder CreateHostBuilder(string[] args)
{
return Host.CreateDefaultBuilder(args)
.ConfigureSecretStore((context, config, builder) =>
{
// Adding the HashiCorp Vault secret provider with the built-in overloads.
// =======================================================================

// UserPass authentication built-in overload:
// ------------------------------------------
builder.AddHashiCorpVaultWithUserPass(
// URI where the HashiCorp Vault is running.
vaultServerUriWithPort: "https://uri.to.your.running.vault:5200",
// Username/Password combination to authenticate with the vault.
username: "admin",
password: "s3cr3t",
// Path where the secrets are stored in the KeyValue secret engine.
secretPath: "my-secrets"
);

// Following defaults can be overridden:

// Mount point of UserPass athentication (default: userpass).
builder.AddHashiCorpVaultWithUserPass(..., options => options.UserPassMountPoint: "myuserpass");

// Version of the KeyValue secret engine (default: V2).
builder.AddHashiCorpVaultWithUserPass(..., options => options.KeyValueVersion: VaultKeyValueSecretEngineVersion.V1);

// Mount point of KeyValue secret engine (default: kv-v2).
builder.AddHashiCorpVaultWithUserPass(..., options => options.KeyValueMountPoint: "secret");

// Adding the HashiCorp Vault secret provider with UserPass authentication, using `-` instead of `:` when looking up secrets.
// Example - When looking up `Foo:Bar` it will be changed to `Foo-Bar`.
builder.AddHashiCorpVaultWithUserPass(..., mutateSecretName: secretName => secretName.Replace(":", "-"));

// Providing an unique name to this secret provider so it can be looked up later.
// See: "Retrieve a specific secret provider from the secret store"
builder.AddHashiCorpVault(..., name: "HashiCorp");

// Kubernetes authentication built-in overload:
// --------------------------------------------
builder.AddHashiCorpVaultWithKubernetes(
// URI where the HashiCorp Vault is running.
vaultServerUriWithPort: "https://uri.to.your.running.vault:5200",
// Role name of the Kubernetes service account.
roleName: "admin",
// JSON web token (JWT) of the Kubernetes service account,
jwt: "ey.xxx.xxx",
// Path where the secrets are stored in the KeyValue secret engine.
secretPath: "my-secrets"
);

// Mount point of Kubernetes authentication (default: kubernetes).
builder.AddHashiCorpVaultWithKubernetes(..., options => options.KubernetesMountPoint: "mykubernetes");

// Version of the KeyValue secret engine (default: V2).
builder.AddHashiCorpVaultWithKubernetes(..., options => options.KeyValueVersion: VaultKeyValueSecretEngineVersion.V1);

// Mount point of KeyValue secret engine (default: kv-v2).
builder.AddHashiCorpVaultWithKubernetes(..., options => options.KeyValueMountPoint: "secret");

// Adding the HashiCorp Vault secret provider with Kubernetes authentication, using `-` instead of `:` when looking up secrets.
// Example - When looking up `Foo:Bar` it will be changed to `Foo-Bar`.
builder.AddHashiCorpVaultWithKubernetes(..., mutateSecretname: secretName => secretName.Replace(":", "-"));

// Providing an unique name to this secret provider so it can be looked up later.
// See: "Retrieve a specific secret provider from the secret store"
builder.AddHashiCorpVault(..., name: "HashiCorp");

// Custom settings overload for when using the [VaultSharp](https://github.com/rajanadar/VaultSharp) settings directly:
// --------------------------------------------------------------------------------------------------------------------
var tokenAuthentication = new TokenAuthMethodInfo("token");
var settings = VaultClientSettings("http://uri.to.your.running.vault.5200", tokenAuthentication);
builder.AddHashiCorpVault(
settings,
// Path where the secrets are stored in the KeyValue secret engine.
secretPath: "my-secrets");

// Version of the KeyValue secret engine (default: V2).
builder.AddHashiCorpVault(..., options => options.KeyValueVersion: VaultKeyValueSecretEngineVersion.V1);

// Mount point of KeyValue secret engine (default: kv-v2).
builder.AddHashiCorpVault(..., options => options.KeyValueMountPoint: "secret");

// Adding the HashiCorp Vault secret provider, using `-` instead of `:` when looking up secrets.
// Example - When looking up `Foo:Bar` it will be changed to `Foo-Bar`.
builder.AddHashiCorpVault(..., mutateSecretName: secretName => secretName.Replace(":", "-"));

// Providing an unique name to this secret provider so it can be looked up later.
// See: "Retrieve a specific secret provider from the secret store"
builder.AddHashiCorpVault(..., name: "HashiCorp");

// Additional settings:
// -------------------

// Tracking the HashiCorp Vault dependency which works well together with Application Insights (default: `false`).
// See https://observability.arcus-azure.net/features/writing-different-telemetry-types#measuring-custom-dependencies for more information.
builder.AddHashiCorpVault(..., options => options.TrackDependency = true);
})
.ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
}
}