HashiCorp: Set up a Vault using Approle

Overview

As you set up the HashiCorp Vault, collect the following information which are required in the Snaplex node configuration file:
  • Cluster URL
  • RoleID
  • SecretID
  • Vault Namespace
Warning: With the support for LDAP authentication on your HashiCorp Vaults released, the secrets-config.json requires a new key auth_method with a value approle or ldap. You must update each of your existing Snaplex node configuration files to include this key-value pair: "auth_method": "approle", as prescribed in the Step 1a-Approle of configuring your Groundplex nodes.
  1. Create a Vault Cluster.
    You need one private Cluster per Vault.
    From this step, you will get the Cluster URL, which must be a private URL that establishes peer communication with your Groundplex nodes.
  2. Enable and configure AppRole authentication.
    Snaplex nodes use AppRole authentication by default.

    You must create a role for each Vault and then associate the role with one or more policies.

    From this step, you will retrieve the RoleID and generate the SecretID for each role you create.
  3. Create Vault policies.
    To use an HCP Vault policy for Snaplex access, it must grant the following:
    • Permissions to look up, renew, and revoke the AppRole token.
    • Read access to the Key/Value Secrets Engine.

    Example 1: Snippet of an HCP Vault policy to grant the required permissions to look up, renew, and revoke the AppRole token.

     # Allow tokens to look up their own properties
    path "auth/token/lookup-self" {
        capabilities = ["read"]
    }
    
    # Allow tokens to renew themselves
    path "auth/token/renew-self" {
        capabilities = ["update"]
    }
    
    # Allow tokens to revoke themselves
    path "auth/token/revoke-self" {
        capabilities = ["update"]
    }
    
    # Allow a token to look up its own capabilities on a path
    path "sys/capabilities-self" {
        capabilities = ["update"]
    }
    

    Example 2: Snippet of an HCP Vault policy to grant read access to the Key/Value Secrets Engine.

     # Allow a token to manage its cubbyhole
    path "cubbyhole/*" {
        capabilities = ["create", "read", "update", "delete", "list"]
    }
    # Allow a token to manage its secret engine kv
    path "kv/*" {
      capabilities = ["read"]
    }
    
  4. Create a Key/Value Secrets Engine.
  5. In the new Vault, create the secrets containing your endpoint credentials.
    The SnapLogic accounts use the path and secret name.
  6. Determine or create the namespaces you need.
    The Vault namespace depends on the HashiCorp product.
    • In HashiCorp Cloud Platform (HCP),
      • Default: admin
      • The name of the namespace that you created.
    • In HashiCorp Enterprise, the name of the namespace that you created.
    • In HashiCorp Open Source, root.