Skip to content

Martini Vault Functions

Vault offers robust encryption services with stringent authentication and authorization techniques. It enables the secure handling, strict regulation, and auditable management of secrets and other sensitive data through its UI, CLI, or HTTP API.

Vault Configuration

To utilize Vault functions in Martini, specific configurations are required in the properties file:

  • Vault.url: Mandatory. Specifies the URL of the Vault server.
  • Vault.token: The token used for Vault login.
  • Vault.authentication: Defaults to TOKEN. Other options include AWS_IAM, AWS_EC2, KUBERNETES.
  • Vault.aws-iam.access-key: AWS IAM access key.
  • Vault.aws-iam.secret-access-key: AWS IAM secret access key.
  • Vault.aws-iam.server-name: The Vault server's name for Vault-AWS-IAM-Server-ID header.
  • Vault.aws-iam.role: The role in Vault for AWS IAM login.
  • Vault.aws-ec2.aws-ec2-path: Mount path for AWS authentication, default is "aws".
  • Vault.aws-ec2.role: The role in Vault for AWS EC2 login.
  • Vault.aws-ec2.identity-document: URL of the EC2 instance's identity document, defaults to http://169.254.169.254/latest/dynamic/instance-identity/pkcs7.
  • Vault.aws-ec2.nonce: Nonce value for AWS auth method.
  • Vault.kubernetes.role: The role in Vault for Kubernetes login.
  • Vault.kubernetes.jwt-token: Decoded JWT token from a Kubernetes' service account secret.

Parameters

Name Required Fields Description
read pathToKey Retrieve data in Vault
readVersioned mountPath, pathToKey Retrieve data in Vault v2
write pathToKey, values Add data in Vault
writeVersioned mountPath, pathToKey, values Add data in Vault v2
delete pathToKey Remove data in Vault
deleteVersioned mountPath, pathToKey Remove data in Vault v2
undeleteVersioned mountPath, pathToKey, version Recover removed data in Vault v2
destroyVersioned mountPath, pathToKey, version Permanently remove data in Vault v2

Password Encryption

Martini Runtime uses AES-GCM as the default encryption.provider. All passwords should contain AES-GCM ciphertext generated by the default encryption key (password.encryption-key).

Property Description
vault.transit.mount_path Path where Vault Transit is enabled
vault.transit.encryption_key Name of the encryption key

Changes affecting passwords, such as modifying encryption.provider or changing the encryption key in Vault, require migration steps, including re-encrypting plaintext passwords.