After you have obtained a token, you can use multiple ways to create/update/read/delete secrets in your claimed vault path.
HashiCorp Vault is used as a secret storage backend behind the Cloud Secrets, so after you provision your safes using Cloud Secrets web app, you have to use the same fully qualified domain name (FQDN) for reading/writing actual secrets, just by using regular Vault commands.
Vault is an excellent piece of software for storing, accessing and sharing secrets between humans and services. Vault uses client - server architecture and provides HTTP API as well as command-line interface for secrets management, however, how to manage user access to those secrets is an open question which doesn't have a straightforward answer.
When enabled, multiple authentication methods enable users and applications authenticate to Vault, including GitHub, LDAP, JWT/OIDC, RADIUS authentication methods, among many others. Some of the methods, like LDAP or OIDC, can be leveraged also for authorization. By defining relationships between the information obtained from the authentication method and Vault groups in advance, Vault can map access policies based on the information provided from the 3rd party authentication.
However, all of the authentication methods requires Vault to be configured in advance. Static policies must be mapped to authenticated entities, so if you expect some kind of self-service, where user can create their own safe space, you are on your own.
Case study - Hashicorp Vault
You can use Vault with:
A command-line interface (CLI) by using Vault binary
calling HTTP API directly by using
curlcommand or libraries like Python
Using Vault command-line interface (CLI)
To manage your secrets manually, you can use command-line interface of the Vault software itself:
download Vault binary
Setup environment variables:
Use CLI commands:
You can find basic CLI usage guide also on a vendor site.
Using Ansible for managing secrets
When the secrets are expected to be available in Ansible variables, we are using Ansible roles to read / write secrets:
You must define mount point, Vault path & name of a secret. Roles can generate password on its own, if it does not exist:
Read secret to Ansible variable
Write secret to Vault
Please note, that all secrets should be Base64 encoded.
For more information on how to use roles for reading/saving secrets, please check the appropriate role README files.
Accessing secrets via HTTP API
As with other methods, you need to know Vault address and have a valid token, then you can read/write/list secrets by calling secret store HTTP API: