Skip to content

Martini Services Storing Secrets

Secure management and storage of secrets are critical for maintaining the integrity and security of an application. Martini leverages Vault for robust secrets management, offering encrypted storage, fine-grained access control, and a complete audit trail.

Security Considerations

When dealing with sensitive information, consider the following security practices:

  • Ensure secure communication channels (e.g., HTTPS) when interacting with the Vault server.
  • Regularly rotate and manage access tokens and keys to minimize risks.
  • Implement least privilege access control to limit access to sensitive data.
  • Regularly audit access logs and review permissions.

Vault Configuration in Martini

To integrate Martini with Vault for secrets management, configure the following properties:

Required Properties

  • Vault.url: The URL of the Vault server. This property is mandatory to enable the Vault feature within Martini.
  • Vault.token: The token used to authenticate with the Vault.

Optional Authentication Methods

  • Vault.authentication: Defaults to TOKEN. For other methods, specify AWS_IAM, AWS_EC2, KUBERNETES.
  • AWS IAM Configuration:
    • Vault.aws-iam.access-key
    • Vault.aws-iam.secret-access-key
    • Vault.aws-iam.server-name
    • Vault.aws-iam.role
  • AWS EC2 Configuration:
    • Vault.aws-ec2.aws-ec2-path
    • Vault.aws-ec2.role
    • Vault.aws-ec2.identity-document
    • Vault.aws-ec2.nonce
  • Kubernetes Configuration:
    • Vault.kubernetes.role
    • Vault.kubernetes.jwt-token

Operations

Martini supports various operations with Vault, including reading, writing, deleting, and encrypting data. For each operation, specific parameters are required:

  • read, write, delete: Operate on data in Vault.
  • encryptString, decrypt: Encrypt or decrypt strings using Vault's transit secrets engine.
  • Versioned operations (e.g., readVersioned, writeVersioned): Manage versioned secrets.

Password Encryption

Martini uses AES-GCM for encrypting passwords by default. To use Vault for password encryption:

  • Configure vault.transit.mount_path and vault.transit.encryption_key.
  • Migrate any existing plaintext passwords to the new encryption standard as necessary.

Connecting Martini to Vault

To connect Martini to your Vault server, especially using AWS IAM, follow these steps:

  1. Complete the necessary setup in AWS and Vault as per the guidelines.
  2. Test the setup using Vault’s CLI or API to ensure connectivity.
  3. Configure the required properties in Martini's settings.