Fetching Secrets from Hashicorp Vault
Aerospike Database Enterprise Edition (EE) can fetch secrets from Hashicorp Vault, instead of storing them in the filesystem or an environment variable.
Configuration parameters that can be secrets
The server can fetch the following configuration parameters from Vault.
auth-password-filecert-fileencryption-key-fileencryption-old-key-filefeature-key-filekey-filekey-file-passwordquery-user-password-file
The ca-file parameter cannot be stored in Vault.
Configuring access to Vault
The details of the Vault service must be provided in the service stanza of the
Aerospike configuration file.
service {
...
vault-ca /path/to/vaultcert.pem
vault-url https://10.0.0.99:8200
vault-path v1/aerospike-secrets
vault-token-file /path/to/vault-token
# vault-namespace asd # (optional) the Vault Enterprise namespace to use
...
}
| Configuration parameter | Required | Description |
|---|---|---|
vault-ca | Y | Path to the TLS certificate used for authenticating against the Vault service. |
vault-token-file | Y | Path to a file containing the Vault token, which authenticates the Aerospike server with the Vault service. |
vault-url | Y | Address and port of the Vault service. |
vault-path | Y | Vault path to the stored Aerospike secrets. A prefix indicating KV Secrets Engine Version 1 or Version 2 may be necessary, depending on the Vault service configuration. |
vault-namespace | N | Vault Enterprise namespace. Added in server 6.3. |
Updating the Vault token
Starting with server 6.3, you can update the Vault token dynamically during runtime.
- Write the new Vault token in the Vault token file.
- Dynamically change the
vault-token-fileconfiguration parameter to the token file path, which can remain the same path.
asadm
Admin> enable
Admin+> manage config service param vault-token-file to /path/to/vault-token
Aerospike reloads the new Vault token and uses it.
Setting up Aerospike secrets in Vault
Your Aerospike EE secrets must be stored in the Vault service as uniquely named KV engine secrets.
The secret must be a single key-value pair with a key named key and a base64-encoded value.
Embedding non-trailing whitespace in base64-encoded secrets is not supported. Add -w 0 to coreutils base64 to prevent the default line break every 76 characters.
vault kv put aerospike-secrets/feature-key key=$(base64 -w 0 ~/eval-features.conf)
Aerospike does not support secrets with multiple key-value pairs at this point of time.
Fetching secrets
Aerospike EE fetches a secret from Vault when the configuration
parameter's value starts with a vault: prefix, followed by the name of the secret in the Vault service.
Configuration parameter examples
In the following example, the feature-key-file secret is fetched from the Vault service.
service {
...
feature-key-file vault:feature-key
...
}
How the Vault URI is constructed
Using the example values above, the feature-key-file secret is constructed in the following way:
vault-url | vault-path | Secret name |
|---|---|---|
https://10.0.0.99:8200 | v1/aerospike-secrets | feature-key |
Assuming the KV secrets engine version 1 API is enabled at the path /aerospike-secrets
in Vault, the server constructs a URI equivalent to the following:
curl -H "X-Vault-Token: `cat /path/to/vault-token`" http://10.0.0.99:8200/v1/aerospike-secrets/feature-key
Dynamically changing secrets
You can dynamically configure the auth-password-file parameter with the set-config asinfo command.
Vault plugin
A community-supported Vault database secrets engine plugin for Aerospike is available at the GitHub repository aerospike-community/vault-plugin-database-aerospike.