Skip to content

Martini Secrets Management Package Configuration

Vault Functions Overview

Martini integrates with Vault to provide a secure means of handling secrets and sensitive data. Vault's encryption services are governed by robust authentication and authorization methods, and can be accessed through its UI, CLI, or HTTP API.

Configuring Vault in Martini

Integrating Vault with Martini requires careful configuration to ensure secure and efficient management of secrets. Here's a step-by-step guide to configuring Vault within the Martini environment:

Setting Up the Vault Configuration Properties

The primary step in integrating Vault with Martini is to define certain key properties in the Martini properties file. These properties facilitate the connection and interaction between Martini and the Vault server.

  1. Vault.url:

    • Description: This property specifies the URL of your Vault server.
    • Requirement: Mandatory for enabling Vault features in Martini.
    • Example: Vault.url=https://vault.example.com

  2. Vault.token:

    • Description: The token used for authenticating with the Vault.
    • Requirement: Essential for login authentication.
    • Example: Vault.token=s3cr3t-token-value

  3. Vault.authentication:

    • Description: Defines the method of authentication to be used.
    • Default: TOKEN
    • Options: TOKEN, AWS_IAM, AWS_EC2, KUBERNETES. Choose based on your infrastructure setup.
    • Example: Vault.authentication=AWS_IAM

  4. AWS and Kubernetes Specific Configurations:

    • For AWS IAM:
    • Vault.aws-iam.access-key: Your AWS IAM access key.
    • Vault.aws-iam.secret-access-key: Your AWS IAM secret access key.
    • Vault.aws-iam.server-name: The Vault server's name for the AWS IAM Server ID.
    • Vault.aws-iam.role: The Vault role name for AWS IAM login.
    • For AWS EC2:
    • Vault.aws-ec2.aws-ec2-path: Mount path for AWS authentication, defaulting to "aws”.
    • Vault.aws-ec2.role: The role name in Vault for AWS EC2 login.
    • Vault.aws-ec2.identity-document: URL of the EC2 instance's identity document.
    • Vault.aws-ec2.nonce: Nonce value for the first AWS auth login.
    • For Kubernetes:
    • Vault.kubernetes.role: The role name in Vault for Kubernetes login.
    • Vault.kubernetes.jwt-token: Decoded JWT token from a Kubernetes service account secret.

Applying the Configuration

After setting up the configuration properties in the properties file, the next step is to ensure that Martini can successfully connect to and interact with the Vault server. This involves:

  • Restarting Martini to apply the new configurations.
  • Verifying the connection to the Vault server to ensure that the configurations are correctly set up and functioning as expected.

Testing the Configuration

It is recommended to perform a test by executing a simple Vault operation (like reading a secret) to confirm that Martini can communicate with Vault correctly. This test will validate that your configurations are correct and operational.

Vault Functions and Parameters

Martini's Vault integration offers several functions for managing secrets:

  • Basic Vault Operations: Functions like read, write, delete, and their versioned counterparts, with parameters such as pathToKey, mountPath, and values.
  • Advanced Vault Operations: Functions for encrypting and decrypting strings and byte arrays, rewrapping ciphertext, and signing and verifying data. These include encryptString, decrypt, rewrap, signString, verifyString, and their respective variants for byte arrays.
  • Parameters Table: A comprehensive table detailing each function's name, required fields, and description.

Password Encryption

Martini Runtime typically uses AES-GCM for encryption. Any changes in encryption methods or keys, especially when switching to Vault, require careful migration steps, including re-encrypting plaintext passwords. Relevant properties for Vault's Transit encryption are:

  • vault.transit.mount_path: Path where Vault Transit is enabled.
  • vault.transit.encryption_key: Name of the encryption key.

Sample Usage

(Include examples and code snippets on how to use these Vault functions in Martini. As screenshots are avoided, textual explanations and code examples will be beneficial.)

Section Placeholder

This section is to be updated before publishing.

Connecting Martini to Vault using AWS IAM

To integrate Martini with Vault using AWS IAM:

  1. Complete the necessary setup in AWS and Vault as outlined in the vault-aws-setup guide.
  2. Test the setup using Vault’s CLI or API to confirm its functionality before integrating it with Martini.