Skip to main content

Enabling HashiCorp Vault

This document explains how to enable the HashiCorp Vault in the Aggregator settings. The HashiCorp Vault is a tool for securely managing secrets, such as API keys and passwords.

Configuration Options

tip

Ensure that HashiCorp Vault is correctly installed and accessible at the specified Vault URI before proceeding with the configuration.

Environment Variables

To configure the HashiCorp Vault using environment variables:

  1. Set the vault address using VAULT_ADDR=<vault uri>.
  2. Set the vault access token using one the following options:
    • VAULT_TOKEN=<vault access token>
    • Place the token in the .vault-token file in the user.home directory
note

Token path mangling is not supported for VAULT_TOKEN and .vault-token.

Optional Properties

  • SSL certificate path: VAULT_SSL_CERT=<path to cert pem file>
  • SSL verification: VAULT_SSL_VERIFY=<true|false> (default=true)
  • Open timeout: VAULT_OPEN_TIMEOUT=<timeout sec>
  • Read timeout: VAULT_READ_TIMEOUT=<timeout sec>

Java System Properties

To configure the HashiCorp Vault using java system properties:

  1. Set the vault address using -Dvault.addr=<vault uri>.
  2. Set the vault access token using -Dvault.token=<vault access token>.

Optional Properties

  • SSL certificate path: -Dvault.ssl.cert=<path to cert pem file>
  • SSL verification: -Dvault.ssl.verify=<true|false>
  • Open timeout: -Dvault.open.timeout=<timeout sec>
  • Read timeout: -Dvault.read.timeout=<timeout sec>
  • Engine version: -Dvault.engine.version=<engine version> (default=2)

Aggregator & QSArchitect

Vault settings can be configured in the Aggregator's admin.properties or QSArchitect's configuration file as follows:

`QuantServer.enableVault=true`
`QuantServer.vault.addr=http://localhost:8200`
`QuantServer.vault.token=EV6af9...encoded token value`
`QuantServer.vault.sslCert=`

To configure in QSArchitect:

hashicorp qsarchitect config steps

Defining Secrets

To securely reference secrets stored in the vault within your application configurations, use the following template syntax: vault:<path>/<name>.

For example, if there is a secret named my_secret located at /secret/my/sub/dir, specify it in the configuration as:

vault:/secret/my/sub/dir/my_secret