-
Notifications
You must be signed in to change notification settings - Fork 8
Hashicorp Vault Key Backend
Lucas Teske edited this page Apr 4, 2019
·
1 revision
Remote Signer does support storing private keys (and its passwords) inside a Hashicorp Vault key-value backend. To enable it you should set a few environment variables should be set:
-
VAULT_STORAGE
=> Set to true to use Vault instead Disk Storage -
VAULT_ADDRESS
=> Vault URL (example:https://vault:8200/
) -
VAULT_SKIP_VERIFY
=> Vault Skip Verify SSL Certs on Connection (true
orfalse
) -
VAULT_BACKEND
=> Vault Backend to use (for examplesecret
) -
VAULT_NAMESPACE
=> Vault Namespace to use (appended toVAULT_BACKEND
, for example if namespace isremote-signer
and backend issecret
, the keys are stored undersecret/remote-signer
)
Then there is two modes that you can operate: Using a root token or a userpass.
-
VAULT_USE_USERPASS
=> Set to false -
VAULT_ROOT_TOKEN
=> Hashicorp Vault Root Token
For userpass, two additional variables should be set:
-
VAULT_USE_USERPASS
=> Set to true -
VAULT_USERNAME
=> The username that remote-signer should use to login to vault -
VAULT_PASSWORD
=> The password that remote-signer should use to login to vault
If everything goes right, you should see something like that in the logs:
INFO| Vault | Initialized Vault Backend at https://vault:8200/ with prefix __master__
WARN| Vault | WARNING: Vault Skip Verify is enable. We will not check for SSL Certs in Vault!
INFO| Vault | Userpass mode enabled. Logging with dev-remote-signer
INFO| Vault | Logged in successfully.
(...)
INFO| Vault | Initialized Vault Backend at https://vault:8200/ with prefix softkey_
WARN| Vault | WARNING: Vault Skip Verify is enable. We will not check for SSL Certs in Vault!
INFO| Vault | Userpass mode enabled. Logging with dev-remote-signer
INFO| Vault | Logged in successfully.