Aerospike Database Enterprise Edition (EE) can fetch secrets from Hashicorp Vault, instead of storing them in the filesystem or an environment variable.
Configuration parameters that can be secrets
The server can fetch the following configuration parameters from Vault.
ca-file parameter cannot be stored in Vault.
Configuring access to Vault
The details of the Vault service must be provided in the
service stanza of the
Aerospike configuration file.
# vault-namespace asd # (optional) the Vault Enterprise namespace to use
|Y||Path to the TLS certificate used for authenticating against the Vault service.|
|Y||Path to a file containing the Vault token, which authenticates the Aerospike server with the Vault service.|
|Y||Address and port of the Vault service.|
|Y||Vault path to the stored Aerospike secrets. |
A prefix indicating KV Secrets Engine Version 1 or Version 2 may be necessary, depending on the Vault service configuration.
|N||Vault Enterprise namespace. Added in server 6.3.|
Updating the Vault token
Starting with server 6.3, you can update the Vault token dynamically during runtime.
- Write the new Vault token in the Vault token file.
- Dynamically change the
vault-token-fileconfiguration parameter to the token file path, which can remain the same path.
Admin+> manage config service param vault-token-file to /path/to/vault-token
Aerospike reloads the new Vault token and uses it.
Setting up Aerospike secrets in Vault
Your Aerospike EE secrets must be stored in the Vault service as uniquely named KV engine secrets.
The secret must be a single key-value pair with a key named
key and a base64-encoded value.
Embedding non-trailing whitespace in base64-encoded secrets is not supported. Add
-w 0 to coreutils
base64 to prevent the default line break every 76 characters.
vault kv put aerospike-secrets/feature-key key=$(base64 -w 0 ~/eval-features.conf)
Aerospike does not support secrets with multiple key-value pairs at this point of time.
Aerospike EE fetches a secret from Vault when the configuration
parameter's value starts with a
vault: prefix, followed by the name of the secret in the Vault service.
Configuration parameter examples
In the following example, the
feature-key-file secret is fetched from the Vault service.
How the Vault URI is constructed
Using the example values above, the
feature-key-file secret is constructed in the following way:
Assuming the KV secrets engine version 1 API is enabled at the path
in Vault, the server constructs a URI equivalent to the following:
curl -H "X-Vault-Token: `cat /path/to/vault-token`" http://10.0.0.99:8200/v1/aerospike-secrets/feature-key
Dynamically changing secrets
A community-supported Vault database secrets engine plugin for Aerospike is available at the GitHub repository aerospike-community/vault-plugin-database-aerospike.