Skip to main content
Loading

Fetching Secrets from Hashicorp Vault

Aerospike Database Enterprise Edition (EE) can fetch secrets from Hashicorp Vault, instead of storing them in the filesystem or an environment variable.

Configuration parameters that can be secretsโ€‹

The server can fetch the following configuration parameters from Vault.

note

The ca-file parameter cannot be stored in Vault.

Configuring access to Vaultโ€‹

The details of the Vault service must be provided in the service stanza of the Aerospike configuration file.

service {
...
vault-ca /path/to/vaultcert.pem
vault-url https://10.0.0.99:8200
vault-path v1/aerospike-secrets
vault-token-file /path/to/vault-token
# vault-namespace asd # (optional) the Vault Enterprise namespace to use
...
}
Configuration parameterRequiredDescription
vault-caYPath to the TLS certificate used for authenticating against the Vault service.
vault-token-fileYPath to a file containing the Vault token, which authenticates the Aerospike server with the Vault service.
vault-urlYAddress and port of the Vault service.
vault-pathYVault path to the stored Aerospike secrets.

A prefix indicating KV Secrets Engine Version 1 or Version 2 may be necessary, depending on the Vault service configuration.
vault-namespaceNVault Enterprise namespace. Added in Database 6.3.

Updating the Vault tokenโ€‹

Starting with Database 6.3, you can update the Vault token dynamically during runtime.

  1. Write the new Vault token in the Vault token file.
  2. Dynamically change the vault-token-file configuration parameter to the token file path, which can remain the same path.
asadm
Admin> enable
Admin+> manage config service param vault-token-file to /path/to/vault-token

Aerospike reloads the new Vault token and uses it.

Setting up Aerospike secrets in Vaultโ€‹

Your Aerospike EE secrets must be stored in the Vault service as uniquely named KV engine secrets.

The secret must be a single key-value pair with a key named key and a base64-encoded value.

danger

Embedding non-trailing whitespace in base64-encoded secrets is not supported. Add -w 0 to coreutils base64 to prevent the default line break every 76 characters.

vault kv put aerospike-secrets/feature-key key=$(base64 -w 0 ~/eval-features.conf)

Aerospike does not support secrets with multiple key-value pairs at this point of time.

Fetching secretsโ€‹

Aerospike EE fetches a secret from Vault when the configuration parameter's value starts with a vault: prefix, followed by the name of the secret in the Vault service.

Configuration parameter examplesโ€‹

In the following example, the feature-key-file secret is fetched from the Vault service.

service {
...
feature-key-file vault:feature-key
...
}

How the Vault URI is constructedโ€‹

Using the example values above, the feature-key-file secret is constructed in the following way:

vault-urlvault-pathSecret name
https://10.0.0.99:8200v1/aerospike-secretsfeature-key

Assuming the KV secrets engine version 1 API is enabled at the path /aerospike-secrets in Vault, the server constructs a URI equivalent to the following:

curl -H "X-Vault-Token: `cat /path/to/vault-token`" http://10.0.0.99:8200/v1/aerospike-secrets/feature-key

Dynamically changing secretsโ€‹

You can dynamically configure the auth-password-file parameter with the set-config asinfo command.

Vault pluginโ€‹

A community-supported Vault database secrets engine plugin for Aerospike is available at the GitHub repository aerospike-community/vault-plugin-database-aerospike.