rConfig - Hashicorp Key Vault

2 mins V7 Pro

Overview

The Hashicorp Key Vault feature allows you to securely store and retrieve secrets from Hashicorp Vault. The setup and use of the Hashicorp Key Vault integration is detailed below. Its a pretty easy setup, but good level knowledge of the Hashicorp Key Vault in your environment is required.

Caution

⚠️ If you are unsure of your environment, please contact your identity administrator. rConfig support on the keyvault themselves will be limited.

Configuration

To get started, first edit the .env file directly on your server, and make the chnages per below. Its always a good idea to back up your .env file.

/var/www/html/rconfig7/current/.env

cd /var/www/html/rconfig7/current && vim .env
# Add or edit the lines below

# VAULT_SERVICE_NAME must match exactly
VAULT_SERVICE_NAME="hashicorp"
# VAULT_HASHICORP_ADDR Must match your vault address with either http:// or https://
VAULT_HASHICORP_ADDR="http://db1.rconfig.com:8200"
# VAULT_HASHICORP_TOKEN Must match your vault token
VAULT_HASHICORP_TOKEN="hvs.eAbXP8FhXf7cHLRrIabzIkwP"

rConfig Server Cli

cd /var/www/html/rconfig7/current && php artisan rconfig:clear-all

Once the above is completed, a key vault integration will be created.

Key Vault Integration Test

We have provided a way for you to test the key vault integration. Head to the Settings > Integrations menu, click on configure for the Hashicorp key vault integration.

The integration page with load, and should display the following:

Click the Test Connection button to test the connection.

It should output per above, any errors should be reported to your identity administrator firstly, then to rConfig support team.

Device Credentials Setup

The next step in the process is to setup a device credential set with the specified Hashicorp endpoint we are going to use. Go to the Settings Menu, Settings, and Device Credentials. You should see a new Add Vault Credential Set button per the below image.

Click the button and this will open the credential set form.

Complete the form, and save it. Please note, the Vault Endpoint URL is required and is expected to contain the keys and values of the credentials. The mapping fields are required, but are filled in by default. If your endpoint values are different please update the fields accordingly. When you save the form, you will see a new credential set with a Vault icon next to it. See below

Configure the device

The final step is to added or edit a device in rConfig with the new Credential Set. Simply, go to the devices edit page, and select the newly created credential set. You will see as of V7.0.7. when you select a credential set, the username and password fields will be disappear. Devices with configured credential sets no longer require a username and password. Please test connectivity using the debug command to ensure the credentials are correct.