Set up a HashiCorp Vault using Approle.
Overview
As you set up the HashiCorp Vault, collect the following information for the Snaplex node
configuration file:
- Cluster URL
- RoleID
- SecretID
- Vault Namespace
Warning: With support for LDAP authentication on
HashiCorp Vaults, the
secrets-config.json
requires a key
auth_method
with a value
approle
or
ldap
. If you have an older configuration,
you must update each of your existing Snaplex node configuration files to include this key-value pair:
"auth_method": "approle",
as prescribed in the
Step 1a-Approle of configuring your Groundplex nodes.
- Create a Vault Cluster.
You need one private Cluster per Vault.
From this step, you will get the Cluster URL, which must be a private URL that establishes peer communication with your
Groundplex nodes.
- Enable and configure AppRole authentication.
Snaplex nodes use AppRole authentication by default.
You must create a role for each Vault and then associate the role with one or more policies.
From this step, you will retrieve the RoleID
and generate the SecretID
for each role you create.
- Create Vault policies.
To use an HCP Vault policy for Snaplex access, it must grant the following:
- Permissions to look up, renew, and revoke the AppRole token.
- Read access to the Key/Value Secrets Engine.
Example 1: Snippet of an HCP Vault policy to grant the required permissions to look up, renew, and revoke the AppRole token.
# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow tokens to renew themselves
path "auth/token/renew-self" {
capabilities = ["update"]
}
# Allow tokens to revoke themselves
path "auth/token/revoke-self" {
capabilities = ["update"]
}
# Allow a token to look up its own capabilities on a path
path "sys/capabilities-self" {
capabilities = ["update"]
}
Example 2: Snippet of an HCP Vault policy to grant read access to the Key/Value Secrets Engine.
# Allow a token to manage its cubbyhole
path "cubbyhole/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# Allow a token to manage its secret engine kv
path "kv/*" {
capabilities = ["read"]
}
- Create a Key/Value Secrets Engine.
- In the new Vault, create the secrets containing your endpoint credentials.
The SnapLogic accounts use the path and secret name.
- Determine or create the namespaces you need.
The Vault namespace depends on the HashiCorp product.
- In HashiCorp Cloud Platform (HCP),
- Default:
admin
- The name of the namespace that you created.
- In HashiCorp Enterprise, the name of the namespace that you created.
- In HashiCorp Open Source,
root
.