Questions tagged [vault]
Questions about Hashicorp's Vault tool for managing secrets
44
questions
13
votes
2
answers
51k
views
HAproxy health check for https backend
I have haproxy configuration that works perfect for vault server in the backend with http configuration and it load balance based on unsealed and active vault server using 200 OK code. This works for ...
- 311
12
votes
2
answers
21k
views
Net bind capability with systemd
I am deploying Goldfish, an interface for Vault, in production on a server dedicated to secrets management. So security is of prime concern here.
I am trying to deploy the service with systemd on an ...
- 121
3
votes
3
answers
3k
views
Securing SSL certificate private key with nginx
I've been researching how to secure privaye keys for SSL certificats using nginx as a webserver, but have not been able to find many satisfactory answers.
Specifically, for a client who wants to me ...
- 165
3
votes
1
answer
7k
views
Hashicorp Vault - Policy restricting one specific sub node in a path
I have a Hashicorp Vault server configured and everything is running great, except for my "deny" policies.
I have a 2 level grouping for the majority of secrets, so they follow the structure of:
...
- 71
2
votes
1
answer
2k
views
Vault - generate secret without revealing it?
With Hashicorp's Vault, is it possbile to generate a secret without revealing that secret to the user who generated it?
Along the lines of:
vault generate secret/my/awesome/secret 32
Where it would ...
- 442
2
votes
2
answers
2k
views
OCSP setup for Vault
I have vault setup running in container for PKI Secrets Engine and would like to add OCSP support for application to check if certificate is not revoked. I didn’t find any explanation on how to setup ...
- 101
2
votes
2
answers
3k
views
How to run Hashicorp Vault as a service on CentOS in production
I'm running the latest CentOS and I need Hashicorp Vault 1.6.3 to run as a service. I'm currently using the kv/secret background, so I can use
Vault kv put secret/test/hello foo=bar
In order to store ...
- 29
2
votes
1
answer
703
views
Windows Hashicorp Vault client - any way to use TLS certs using secure OS features?
Right now, if I want to use a TLS certificate to authenticate to Vault, I need to have a file with the certificate, and a file with the private key, on my client's filesystem.
On Windows, I'm able to ...
- 36.3k
2
votes
0
answers
1k
views
Vault invalid certificate or no client certificate supplied - cert auth method
I have created a CA in Vault to handle my certificate creation. I've followed this guide here: https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine
I am trying to generate a client ...
- 21
2
votes
0
answers
204
views
Can consul-template fetch Vault servers from consul?
I would like to integrate HashiCorp vault into our current setup of consul + consul-template and was a bit surprised to find no option for consul-template to fetch the vault servers from consul's ...
- 3,510
1
vote
1
answer
3k
views
Login to HashiCorp Vault with Kubernetes Auth from Pod with Vault CLI
TL;DR: What is the proper way to login from Vault CLI in a Kubernetes Pod using the Kubernetes Auth Method.
I want to create regular snapshots from my HashiCorp Vault raft storage. So I created a ...
- 131
1
vote
2
answers
1k
views
Hashicorp Vault How Do I Login Headless From STDIN Using Bash Shell?
Given a Bash Shell say in a Docker container running on Gitlab, for example, how would I get the password to get passed in?
When I login with this:
$ vault login -method=ldap username=myusername
It ...
1
vote
1
answer
6k
views
hashicorp vault - load pre-existing CA certificate into PKI engine
I'm looking to migrate a process that generates client certificates from a custom root CA into hashicorp vault.
The root is already trusted by a lot of applications, so I'd like to import it (or an ...
- 999
1
vote
3
answers
3k
views
Vault configuration supports environment variables?
Most configs support inline variables from the environment. Does support Vault configuration supports environment variables? Something like:
ui = true
listener "tcp" {
...
- 13
1
vote
0
answers
27
views
HashiCorp Vault User Audit Capability
We're seeking a solution to enable us audit our HashiCorp Vault instance to obtain a namespace breakdown of:
For each Vault user, the roles or groups that their entity belongs to.
Having reviewed ...
- 11
1
vote
0
answers
2k
views
Injected vault-agent pod failing to start, api server & vault aren't communicating
I have a local kubernetes cluster using kind. It is a single node cluster.
On this cluster I am following this guide to setup Vault & the vault-agent-injector.
If I follow the tutorial step by ...
- 11
1
vote
0
answers
704
views
Unable to fetch Vault Token for Pod Service Account
I am using Vault CSI Driver on Charmed Kubernetes v1.19 where I'm trying to retrieve secrets from Vault for a pod running in a separate namespace (webapp) with its own service account (webapp-sa) ...
1
vote
1
answer
872
views
Store AWX/Ansible Tower Database password is HashiCorp Vault
With AWX and Ansible Tower, I know you can use HashiCorp Vault to manage the passwords that you use inside your playbooks. For instance if you want to configure some network devices, the credentials ...
1
vote
1
answer
1k
views
Shift HashiCorp Vault secrets from one path (sub dir) to another
Good morning !
I am using Vault from HashiCorp and would like to move secrets and secrets structure around.
I have a bunch of secrets under a path, let say:
boo/foo/
boo/foo/bar/secret1
boo/foo/bar/...
- 810
1
vote
0
answers
2k
views
How to store Vault audit logs when running vault in a Docker container
I'm researching the various audit devices for Hashicorp Vault. My goal is to run Vault in a Docker environment (currently Docker Swarm). The File method is fairly straightforward, but I'm also ...
- 121
1
vote
1
answer
390
views
Use Vault to manage Kubernetes secrets
We are using Kubernetes on Google Kubernetes Engine - we currently have secrets added manually with the kubectl secret CLI.
To make the secrets management more secure and easier across the team, we ...
- 140
0
votes
2
answers
257
views
Oracle Cloud Native Environment setup with Vault faild on validating host names in certificate
I'm setting up OLCNE environment with Hashicorp Vault PKI, I successfully install agent, setup vault, certificates was generated but during module createion I have error that host name not match ...
- 101
0
votes
1
answer
1k
views
How to convert configmap to azure keyvault
I have a configmap like below.Which I will link to a config file in our application.
apiVersion: v1
kind: ConfigMap
metadata:
name: database-configmap
data:
config: |
dbport=5432
dcname=
...
- 412
0
votes
1
answer
588
views
How to use acr secret saved in azure vault for image pull?
With azure vault and csi driver, able to create secrets and access them as single files in container.
I followed this approach to create basic secrets.
Can accessible the secrets from the container as ...
- 412
0
votes
1
answer
130
views
Managing Authentication on REST APIs
The scenario is, I want to manage authentication in several REST APIs deployed in different environments.
I've been reading about the Vault, and apparently, it has this feature.
With Vault is possible ...
- 103
0
votes
1
answer
1k
views
How to permanently set vault token and url remote server in macos
On Linux I'm setting vault variables to /etc/environment next:
export VAULT_URL='https://some-remote-server.org:8200/'
export VAULT_TOKEN='SoMeToKeN'
But when I'm typeing this in macos, after $> ...
0
votes
1
answer
772
views
Vault pod going to crashLoopBackOff state on restarting
We have configured vault to run as a pod in the cluster. In the below deployment YAML file, we have included the vault initialisation and unsealing to happen when the pod comes up initially. But when ...
0
votes
1
answer
232
views
Trying to deploy vault:1.2.4 in kubernetes
I have been trying to bring up a Vault pod in K8!, I am using vault:1.2.4
and I have added the capability and config in the yaml as mentioned in the official docker page of vault
But still, I always ...
- 30
0
votes
1
answer
640
views
Consul, vault and postgres containers don't communicate
I'm trying to set up Consul with Vault for secrets management for Postgres with Docker. Here is my configuration
Dokcerfile:
FROM python:3.6-slim
ENV VAULT_VERSION 0.11.1
ENV CONSUL_VERSION 1.2.3
...
- 141
0
votes
0
answers
10
views
Cannot register new ACME account on vault ACME endpoint
I have setup a new instance of Hashicorp's Vault, I followed the tutorial instructions on Hashicorp's own website on how to configure ACME. However, I am unable to register new ACME accounts using ...
0
votes
1
answer
36
views
Hashicorp Vault transit auto unseal cluster is not receiving requests from transit seal configuration in main cluster (or requests are not being sent)
I am trying to set up auto-unseal for hashicorp vault using the transit secrets engine and two HA clusters. Cluster A is responsible for unsealing cluster B. My issue is that Cluster B (the main ...
- 101
0
votes
0
answers
358
views
Rancher RKE2 Cert-manager's Vault issuer says "permission denied"
Does anyone know what's wrong with Rancher RKE2 clusters, please? I've hit strange problems during the deployment of Cert-manager with Vault issuer where Vault gets "permission denied" (or ...
- 692
0
votes
0
answers
368
views
ansible proxmox inventory plugin vault
Hope you're doing well.
I got a very basic question about ansible inventory plugins , specifically the proxmox one :
https://docs.ansible.com/ansible/latest/collections/community/general/...
- 13
0
votes
0
answers
127
views
Need advice on ansible-pull and vault
Hope you're doing well.
I have this design headache
My very basic interrogation here is: how can i implement ansible-pull a "secure" way with kiss principle ?
For example i use ansible-pull ...
- 13
0
votes
0
answers
439
views
Unable to access keyvault when assigned to group, how to fix that?
I have created a keyvault and added few keys and while creation, provided access to a service principal using azure bicep template.
var permissionContributorId = 'f25e0fa2-a7c8-4377-a976-54943a77a395'
...
- 11
0
votes
0
answers
1k
views
Enable Vault JWT using `-tls-skip-verify` with EKS ca.crt fails with `x509: certificate signed by unknown authority`
We need to enable JWT auth in vault which is hosted within our EKS cluster in preparation for using K8s 1.24 OIDC and testing token renewal with Vault. I'm following documentation from a few places:
...
- 355
0
votes
0
answers
210
views
Apache 2.4 Forward proxy TLS connection refused
I am trying to run hashicorp vault server in a Docker container behind an Apache Forward Proxy (httpd v2.4; running in a container for testing purposes). Vault is set to use AWS KMS for Autounseal. ...
- 133
0
votes
1
answer
430
views
Is HashiCorp Vault the correct tool to store users sensitive information
Is Vault the correct tool to store sensitive information about users, eg. theirs pay rate or personal id?
"Normal" employee/user must only have access to his own data but the users with ...
- 1
0
votes
1
answer
342
views
Hashicorp Vault - AWS EKS vs EC2
Is it possible to install a Hashicorp Vault cluster to EC2 only or is EKS required and would there be a big advantage to one over the other?
- 33
0
votes
0
answers
1k
views
Deployment not able to spin the hashicorp vault linked containers, how to fix that?
I have followed the steps mentioned in the link
Came till the deployment part, last before step.
After deployment, the pods status is stuck at creation.
kubectl get pods --watch
NAME ...
- 412
0
votes
1
answer
2k
views
Azure key vault volume not accessible, how to fix that?
I have followed the walkthrough provided in this link
And at step 6, I have tried to create a pod with the volume linked to the keyvault.
But it is not able to access the volume.
kubectl get pods
NAME ...
- 412
0
votes
1
answer
32
views
Azure Retention policy for new servers - will the first backup be retained long term
We have an Azure tenancy with a a backup policy doing Daily(retained 30days), weekly (retained 10 weeks), and Annual (triggered on first SAT in JAN, retained for 7 years).
I have just migrated a bunch ...
- 1
0
votes
2
answers
725
views
vault init hangs on kubernetes
I'm trying to set up an autosealing vault cluster in kubernetes but I'm seeing some strange behaviour.
I have one vault providing the transit secret to autounseal the second vault . They are running ...
- 101
0
votes
1
answer
2k
views
How to Use Azure Key Vault w/ Web App
I have an Azure Web App for a client project. The project also requires Azure SQL Databases and Blob Storage. All pieces mentioned are up and running but we've been told we can't have any password ...
- 688