Configuring Vault for Martini
Vault Functions Overview
Martini integrates with Vault to provide a secure means of handling secrets and sensitive data. Vault's encryption services are governed by robust authentication and authorization methods, and can be accessed through its UI, CLI, or HTTP API.
If Vault isn't set up on your server yet, you can follow this step-by-step guide on how to deploy Hashicorp Vault.
Configuring Vault in Martini
Integrating Vault with Martini requires careful configuration to ensure secure and efficient management of secrets. Here's a step-by-step guide to configuring Vault within the Martini environment:
Setting Up the Vault Configuration Properties
The primary step in integrating Vault with Martini is to define certain key properties in the Martini properties file. These properties facilitate the connection and interaction between Martini and the Vault server.
-
Vault.url
:- Description: This property specifies the URL of your Vault server.
- Requirement: Mandatory for enabling Vault features in Martini.
- Example:
Vault.url=https://vault.example.com
-
Vault.token
:- Description: The token used for authenticating with the Vault.
- Requirement: Essential for login authentication.
- Example:
Vault.token=s3cr3t-token-value
-
Vault.authentication
:- Description: Defines the method of authentication to be used.
- Default:
TOKEN
- Options:
TOKEN
,AWS_IAM
,AWS_EC2
,KUBERNETES
. Choose based on your infrastructure setup. - Example:
Vault.authentication=AWS_IAM
-
AWS and Kubernetes Specific Configurations:
For AWS IAM:
Vault.aws-iam.access-key
: Your AWS IAM access key.Vault.aws-iam.secret-access-key
: Your AWS IAM secret access key.Vault.aws-iam.server-name
: The Vault server's name for the AWS IAM Server ID.Vault.aws-iam.role
: The Vault role name for AWS IAM login.
For AWS EC2:
Vault.aws-ec2.aws-ec2-path
: Mount path for AWS authentication, defaulting to "aws”.Vault.aws-ec2.role
: The role name in Vault for AWS EC2 login.Vault.aws-ec2.identity-document
: URL of the EC2 instance's identity document.Vault.aws-ec2.nonce
: Nonce value for the first AWS auth login.
For Kubernetes:
Vault.kubernetes.role
: The role name in Vault for Kubernetes login.Vault.kubernetes.jwt-token
: Decoded JWT token from a Kubernetes service account secret.
Applying the Configuration
After setting up the configuration properties in the properties file, the next step is to ensure that Martini can successfully connect to and interact with the Vault server. This involves:
- Restarting Martini to apply the new configurations.
- Verifying the connection to the Vault server to ensure that the configurations are correctly set up and functioning as expected.
Testing the Configuration
It is recommended to perform a test by executing a simple Vault operation (like reading a secret) to confirm that Martini can communicate with Vault correctly. This test will validate that your configurations are correct and operational. You can use these commands to read a secret:
-
Read a kv v1 secret:
1
read <mount>/secret
-
Read a kv v2 secret:
1
kv-get <mount>/secret