Hashicorp Vault

Permissions:

Vault URL
Vault Engine Name
Vault Token (For non-expiring static token)
- Token
Vault AppRole (For time-bound dynamic token)
- Vault Namespace
- Vault Role ID
- Vault Secret ID

To get Vault Role ID and Secret ID on Hashicorp Cloud Dedicated Vault


export VAULT_ADDR="<VAULT-TOKEN>"; export VAULT_NAMESPACE="<VAULT-NAMESPACE>"

export VAULT_TOKEN="<VAULT_TOKEN>"

vault auth enable approle

vault write auth/approle/role/ozone-access \
    secret_id_ttl=0 \
    token_ttl=20m \
    token_max_ttl=30m

vault read auth/approle/role/ozone-access/ozone-access

vault write -f auth/approle/role/ozone-access/secret-id

vault write auth/approle/login role_id="<role-id>" secret_id="<secret-id>"

# Create a my-policy.hcl file for ozone-secret-store Vault Engine
# my-policy.hcl
path "ozone-secret-store/data/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

vault policy write my-policy my-policy.hcl


vault write auth/approle/role/ozone-access token_policies="ozone-secret-store"

PreviousAWS Secrets Manager

Last updated 3 months ago