Configuring apps for HashiCorp Vault
Vault setup
To allow the SOAR app client to authenticate to Vault and interact with the SOAR Platform, you must create an AppRole in the Vault instance. For more information about creating AppRoles, see AppRole Pull Authentication on the HashiCorp Vault website.
The app must have read access to the secret engine and to the paths of the specific secrets that you want to share with the app. Do not grant access to any secret engines or paths that the app does not need. For better control and visibility into how the apps use the credentials in Vault, create a different app role for each SOAR app.
After you create the AppRole, note the role_id
and the
secret_id
for the role. This information must be stored as a protected secret on
the SOAR Platform so that each app can connect to
Vault. If the secret_id
is configured to expire frequently, an administrator must
manually retrieve the value and reset it in the SOAR Platform app.
HashiCorp Vault configuration in the SOAR app
After the application is configured in CCP and the client you have the role_id
and secret_id
values, install the SOAR app on the SOAR Platform.
Configuration parameter | Value |
---|---|
PAM_TYPE |
HashiCorpVault |
PAM_ADDRESS |
Specify the address where your HashiCorp server can be reached. If applicable, include the port. This value is typically the same as what you would set for VAULT_ADDR when you use the Vault
command-line interface. For example, the address might look like
|
PAM_APP_ID |
Set this parameter to the |
PAM_SECRET_ID |
Set this parameter to the |
PAM_VERIFY_SERVER_CERT |
This parameter is optional, depending on your Vault configuration. If your configuration requires this parameter, the accepted values are True, False, or the path to a certificate chain that authenticates a self-signed certificate on a self-hosted Vault server. The recommendation is to accept the default value of True. Important: Do not use this parameter in a production environment.
|
Referencing a Vault secret
The app.config file structure that you must follow for each secret that you want to reference is restrictive. The app fails if the proper structure is not used.
Each configuration that you want to pull from Vault must be prefixed with the caret (^) symbol.
- The name of the secrets engine in Vault.
- The path to the secret within the engine.
- The name of the specific key that you want to get the value for.
[SOAR_app_name]
<configuration_name>=^<secret_name>.<path/to/the/secret>.<secret_password>
secret1
and stored in
the key-value engine. The path to the secret is test/soarapp, and the secret
credential is named secret_password
. You are installing the
fn_my_app
app and the configuration is called my_secret_config
. In
this example, the app.config file includes the following
entry:[fn_my_app]
my_secret_config=^secret1.test/soarapp.secret_password
[fn_my_app]
sql_query=FROM table SELECT ^{secret1.test/soarapp.value_to_select}
Testing the configuration
After both the vault and the app are configured, you can test the configuration to ensure that the vault connection works and that the app is configured correctly. To test the configuration, go to the app's Configuration page and click Test configuration.