Skip to content

Latest commit

 

History

History
232 lines (180 loc) · 10.2 KB

README.md

File metadata and controls

232 lines (180 loc) · 10.2 KB

Vault Integration Pack

StackStorm pack integration with HashiCorp Vault

Author: steve.neuharth [email protected]

Configuration

The following options are required to be configured for the pack to work correctly.

Option Type Required Secret Description
default_profile string True default The default profile to use in an action when none is given.
profiles array True default Profiles definitions
- name string True default Name of the profile.
- url string True False URL for the Vault server
- verify boolean False default Verify the TLS certificate for HTTPS requests. Default false (this option is ignored if ca_cert_path is supplied).
- ca_cert_path string False default CA Certificate path. Defaults to empty string. When path is provided, TLS certificates are verified.
- client_cert_path string False default Client side certificates for HTTPS request
- client_key_path string False default Client private key for HTTPS request
- auth_method string False default Authentication method
- token string False True Authentication token (method=token)
- role_id string False True Authentication approle role-id (method=approle)
- secret_id string False True Authentication approle secret-id (method=approle)

Actions

The pack provides the following actions:

create_token

Create a new Token

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.
token_id string False default The ID of the client token. By default, this is an auto-generated value.
role_name string False default The name of the token role.
Items are of type
policies array False default List of policy names to associate with this token.
meta string False default Metadata to associate with the token. This metadata will show in the audit log when the token is used.
no_parent boolean False default This argument only has effect if used by a root or sudo caller.
no_default_policy boolean False default Detach the 'default' policy from the policy set for this token.
renewable boolean False default True: Permit the token to be renewable up to the system/mount maximum TTL. False: Token can't be renewed past its initial TTL.
ttl string False default Initial TTL to associate with the token, provided as '1h', where hour is the largest suffix. (default unit: seconds)
token_type string False default The token type. Can be 'batch' or 'service'. Defaults to the type specified by the role configuration named by role_name.
explicit_max_ttl string False default If set, the token will never be able to be renewed or used past the value set at issue time.
display_name string False default Name to associate with this token. This is a non-sensitive value that can be used to help identify created secrets (e.g. prefixes).
num_uses string False default Number of times this token can be used. After the last use, the token is automatically revoked.
period string False default If specified, the token will be periodic; it will have no maximum TTL (unless an 'explicit-max-ttl' is also set) but every renewal will use the given period. Requires a root token or one with the sudo capability.
entity_alias string default default Name of the entity alias to associate with during token creation.
wrap_ttl string False default Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'.
mount_point string False default The 'path' the method/backend was mounted on.

delete

Delete value from Vault server

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.
path string True default Path to delete from Vault

delete_policy

Delete policy from Vault server

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.
name string True default Policy to delete from Vault

generate_secret

Generate a secret and write it to vault.

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.
mount_point string False default Vault moint point in the URL
path string True default Path to the secrets
key_name string True default Name of the key to write the secret.
update_tactic string False default The logic to use when writing secret to Vault. See readme for details.
string_set string default default Unavailable
secret_length integer default default The number of characters to use in the secret.

get_policy

Read policy from Vault server

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.
name string True default Policy to read from Vault

is_initialized

Read initialization status from Vault server

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.

list_policies

List Policies from Vault server

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.

read

Read value from Vault server

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.
path string True default Key to read from Vault

read_kv

Read a kv value from Vault server

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.
path string True default Key to read from Vault
kv_version number True default The version of the KV store in vault. Use 1 for legacy kv stores, 2 for newer kv stores
mount_point string True default The mount point of the kv store
version string True default The version of the kv data

revoke_token

Revoke a token and all its child tokens.

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.
token string True default Token to revoke.
mount_point string False default The 'path' the method/backend was mounted on.

set_policy

Create a new Vault policy

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.
name string True default Name of new Vault Policy
rules string True default Policy rules

write

Write a key/value to Vault

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.
path string True default Path to the Vault secrets
values string True default Keys and values to write in Vault ({"key":"value", "key2": "value2"}

write_secret

Write a secret to Vault.

Parameter Type Required Secret Description
profile_name string False default The profile to use to run this action.
mount_point string False default Vault moint point in the URL
path string True default Path to the secrets
key_name string True default Name of the key to write the secret.
secret string True True Secret contents to be written.
decode_json boolean False default Secret is formatted as a json and should be decode to be sent to Vault
update_tactic string False default The logic to use when writing secret to Vault. See readme for details.

generate secret

This action is written to pre-populate keys with a random secret.

The following string sets are available

  • ascii_letters abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
  • ascii_lowercase abcdefghijklmnopqrstuvwxyz
  • ascii_uppercase ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • digits 0123456789
  • punctuation !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~
  • printable 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c
  • alphanumeric abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

Update tactic

The update tactic controls how the action will update existing secrets. It's intended to ensure idempotence on multiple runs of the secret generation action. The currently supported tactics are:

  • overwrite: Overwrite an existing secret.
  • refrain: Do not overwrite an existing secret.

Sensors

There are no sensors available for this pack.

Authentication methods

Authentication methods are defined per profile and are mutally exclusive. Only configure the method that should be used.

Supported

  • approle
  • token

Unsupported

  • app-id
  • ali-cloud
  • aws-iam # aka aws
  • aws-ec2
  • azure
  • cert # aka tls
  • gcp
  • github
  • jwt
  • kubernetes
  • ldap
  • mfa
  • oidc
  • okta
  • radius
  • userpass

Maintainers

Active pack maintainers with review & write repository access and expertise with vault:

Documentation generated using pack2md