StackStorm pack integration with HashiCorp Vault
Author: steve.neuharth [email protected]
The following options are required to be configured for the pack to work correctly.
| Option | Type | Required | Secret | Description |
|---|---|---|---|---|
default_profile |
string | True | default | The default profile to use in an action when none is given. |
profiles |
array | True | default | Profiles definitions |
- name |
string | True | default | Name of the profile. |
- url |
string | True | False | URL for the Vault server |
- verify |
boolean | False | default | Verify the TLS certificate for HTTPS requests. Default false (this option is ignored if ca_cert_path is supplied). |
- ca_cert_path |
string | False | default | CA Certificate path. Defaults to empty string. When path is provided, TLS certificates are verified. |
- client_cert_path |
string | False | default | Client side certificates for HTTPS request |
- client_key_path |
string | False | default | Client private key for HTTPS request |
- auth_method |
string | False | default | Authentication method |
- token |
string | False | True | Authentication token (method=token) |
- role_id |
string | False | True | Authentication approle role-id (method=approle) |
- secret_id |
string | False | True | Authentication approle secret-id (method=approle) |
The pack provides the following actions:
Create a new Token
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
token_id |
string | False | default | The ID of the client token. By default, this is an auto-generated value. |
role_name |
string | False | default | The name of the token role. |
| Items are of type | ||||
policies |
array | False | default | List of policy names to associate with this token. |
meta |
string | False | default | Metadata to associate with the token. This metadata will show in the audit log when the token is used. |
no_parent |
boolean | False | default | This argument only has effect if used by a root or sudo caller. |
no_default_policy |
boolean | False | default | Detach the 'default' policy from the policy set for this token. |
renewable |
boolean | False | default | True: Permit the token to be renewable up to the system/mount maximum TTL. False: Token can't be renewed past its initial TTL. |
ttl |
string | False | default | Initial TTL to associate with the token, provided as '1h', where hour is the largest suffix. (default unit: seconds) |
token_type |
string | False | default | The token type. Can be 'batch' or 'service'. Defaults to the type specified by the role configuration named by role_name. |
explicit_max_ttl |
string | False | default | If set, the token will never be able to be renewed or used past the value set at issue time. |
display_name |
string | False | default | Name to associate with this token. This is a non-sensitive value that can be used to help identify created secrets (e.g. prefixes). |
num_uses |
string | False | default | Number of times this token can be used. After the last use, the token is automatically revoked. |
period |
string | False | default | If specified, the token will be periodic; it will have no maximum TTL (unless an 'explicit-max-ttl' is also set) but every renewal will use the given period. Requires a root token or one with the sudo capability. |
entity_alias |
string | default | default | Name of the entity alias to associate with during token creation. |
wrap_ttl |
string | False | default | Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'. |
mount_point |
string | False | default | The 'path' the method/backend was mounted on. |
Delete value from Vault server
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
path |
string | True | default | Path to delete from Vault |
Delete policy from Vault server
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
name |
string | True | default | Policy to delete from Vault |
Generate a secret and write it to vault.
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
mount_point |
string | False | default | Vault moint point in the URL |
path |
string | True | default | Path to the secrets |
key_name |
string | True | default | Name of the key to write the secret. |
update_tactic |
string | False | default | The logic to use when writing secret to Vault. See readme for details. |
string_set |
string | default | default | Unavailable |
secret_length |
integer | default | default | The number of characters to use in the secret. |
Read policy from Vault server
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
name |
string | True | default | Policy to read from Vault |
Read initialization status from Vault server
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
List Policies from Vault server
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
Read value from Vault server
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
path |
string | True | default | Key to read from Vault |
Read a kv value from Vault server
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
path |
string | True | default | Key to read from Vault |
kv_version |
number | True | default | The version of the KV store in vault. Use 1 for legacy kv stores, 2 for newer kv stores |
mount_point |
string | True | default | The mount point of the kv store |
version |
string | True | default | The version of the kv data |
Revoke a token and all its child tokens.
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
token |
string | True | default | Token to revoke. |
mount_point |
string | False | default | The 'path' the method/backend was mounted on. |
Create a new Vault policy
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
name |
string | True | default | Name of new Vault Policy |
rules |
string | True | default | Policy rules |
Write a key/value to Vault
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
path |
string | True | default | Path to the Vault secrets |
values |
string | True | default | Keys and values to write in Vault ({"key":"value", "key2": "value2"} |
Write a secret to Vault.
| Parameter | Type | Required | Secret | Description |
|---|---|---|---|---|
profile_name |
string | False | default | The profile to use to run this action. |
mount_point |
string | False | default | Vault moint point in the URL |
path |
string | True | default | Path to the secrets |
key_name |
string | True | default | Name of the key to write the secret. |
secret |
string | True | True | Secret contents to be written. |
decode_json |
boolean | False | default | Secret is formatted as a json and should be decode to be sent to Vault |
update_tactic |
string | False | default | The logic to use when writing secret to Vault. See readme for details. |
This action is written to pre-populate keys with a random secret.
The following string sets are available
- ascii_letters
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ - ascii_lowercase
abcdefghijklmnopqrstuvwxyz - ascii_uppercase
ABCDEFGHIJKLMNOPQRSTUVWXYZ - digits
0123456789 - punctuation
!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ - printable
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c - alphanumeric
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
The update tactic controls how the action will update existing secrets. It's intended to ensure idempotence on multiple runs of the secret generation action. The currently supported tactics are:
overwrite: Overwrite an existing secret.refrain: Do not overwrite an existing secret.
There are no sensors available for this pack.
Authentication methods are defined per profile and are mutally exclusive. Only configure the method that should be used.
- approle
- token
- app-id
- ali-cloud
- aws-iam # aka aws
- aws-ec2
- azure
- cert # aka tls
- gcp
- github
- jwt
- kubernetes
- ldap
- mfa
- oidc
- okta
- radius
- userpass
Active pack maintainers with review & write repository access and expertise with vault:
- Jacob Floyd (@cognifloyd) [email protected] Copart
- Carlos (@nzlosh)
Documentation generated using pack2md