HashiCorp Vault integration
- Updated: 2024/07/08
HashiCorp Vault integration
You can integrate Automation 360 to retrieve credentials from the HashiCorp Vault. The credentials reside in the HashiCorp Vault where you can manage, rotate, and synchronize them.
Note: The HashiCorp mark and logo are trademarks or registered trademarks of HashiCorp, Inc. and are used for identification purposes only.
You integrate the Control Room by connecting it to the HashiCorp Vault through the HashiCorp HTTP APIs.
The following table lists the features supported by the different deployment types:
Feature | Cloud | On-Premises |
---|---|---|
Agent automation credentials | Supported | Supported |
Agent auto-login credentials | Supported | Supported |
Bootstrap and system credentials | Not supported | Supported |
You can integrate the Control Room with the HashiCorp Vault using either of these deployments:
- Cloud
The following diagram shows a Cloud deployment where the Control Room is hosted on the AAI Cloud:
- On-Premises
For On-Premises deployments, you deploy the following:
- Control Room as software within your customer environment.
- Bot Agent within your customer environment where automations run and access customer applications.
Note: You can also connect your On-Premises Control Room to HashiCorp Cloud via the internet.
HashiCorp Vault integration requirements
- HashiCorp service should be accessible from the Control Room.
- The HashiCorp external key vault must be reachable from the Cloud Control Room through the network perimeter firewall rules. For external firewall rules configuration details, see Control Room IP addresses for external integrations.
- Ensure that you are using:
- HashiCorp Vault 1.13.x or 1.14.x.and HashiCorp KV secrets engine - version 2.
- Default secret engine path as /secret. All secrets must be created under the root of secret engine (/secret). To access the HashiCorp Vault APIs, the Control Room will automatically append the default secret engine path v1/secret/data to the vault URL you enter (for example: https://<hostname1:port_num>/v1/secret/data). Ensure that the role with the given RoleID has at least read permission to this path and all secrets are created in the secrets engine.
- HashiCorp Vault REST API.
- API engine path as /v1/secret/data.
- API operations under a specific namespace by setting the
X-Vault-Namespace
header to the absolute or relative namespace path. - Authentication method which uses AppRole with a default path name as “approle”. Custom AppRole path name is not supported.
Install HashiCorp Vault
You must install and configure the HashiCorp Vault. See HCP Vault Quick Start.
Use AppRole in HashiCorp Vault
AppRole is an authentication method used in the HashiCorp Vault for applications to interact with the vault. AppRole uses the following values for authentication:
- RoleID: A unique identifier for AppRole. You can use the Role ID with any number of instances of an application.
- SecretID: A randomly generated value that is used to authenticate the AppRole.
The secret ID is intended for a single instance of an application, is
short-lived, and can be used by authorized applications only.Important: We recommend that you do not share this value.
- Role name: Roles are listed by the role name.
- Namespace: Allows you to create groups of secrets and apply policies to those namespaces to ensure that each tenant can only access the secrets they have permission to.
For information on how to configure AppRole, see AppRole Auth Method.
Import server certificate
In On-Premises deployments, you can import individual server certificates into the truststore. However, we recommend that you import the issuing Certificate Authority (CA) certificate. For more information, see Import HTTPS SSL, intermediate, and CA certificates.
- The client (Automation 360 Control Room) sends a request to the HashiCorp Vault (protected resource).
- The server then responds by sending a certificate back to the client.
- The Control Room verifies the certificate sent by the HashiCorp server by validating it against the trusted server certification information stored in the public part of the Control Room truststore.
- Both parties (client and server) gain access to the protected resources if the
certificates pass validation based on the following:
- The Control Room must trust the certificate on the HashiCorp server
- The Subject field in the certificate matches the Fully Qualified Domain Name (DNS Name) of the calling system.
- The certificate has not expired.
HashiCorp HTTP API configuration requirements
You must have network connectivity between the Control Room and the HashiCorp server. The Control Room is connected to the HashiCorp Vault through the HashiCorp HTTP APIs for both On-Premises or Cloud deployments.
To use the HashiCorp API, you must set these required parameters:
- Vault URL
- Role ID
- Role Name
- Secret ID
- Secrets Engine Path
- Namespace (optional)
- Optional Certificate
Review HashiCorp credential terminology and identifiers
HashiCorp and Automation Anywhere use different terminology to describe and identify credentials:
Description | HashiCorp | Automation Anywhere |
---|---|---|
Where credentials are stored | secrets | credentials |
- Credentials in HashiCorp are stored as secrets.
- Credentials in Automation Anywhere are stored in lockers, where each locker has access controls for Control Room users.
- username: john
- password: 2zR%#sX#g
- email: john@email.com
- passcode: my-long-passcode
HashiCorp secret ID rotation
The Control Room runs a scheduled job to proactively rotate the HashiCorp secret ID for a tenant. This process ensures that the automation involving key vault credentials runs uninterruptedly. By default, the secret ID rotation frequency is every hour. The secret ID is changed based on the secret ID's expiration time. You can change the secret ID when two-thirds of the secret ID has expired.
If the HashiCorp secret ID rotation fails, you can manually change the secret ID using the following Cloud or On-Premises procedures: