HashiCorp Vault¶
Configuration¶
You must provide a mapping in PLUGINS_CONFIG
within your nautobot_config.py
, for example:
PLUGINS_CONFIG = {
"nautobot_secrets_providers": {
"hashicorp_vault": {
"url": os.environ.get("HASHICORP_VAULT_URL"),
"token": os.environ.get("HASHICORP_VAULT_TOKEN"),
}
},
}
url
- (required) The URL to the HashiCorp Vault instance (e.g.http://localhost:8200
).auth_method
- (optional / defaults to "token") The method used to authenticate against the HashiCorp Vault instance. Either"approle"
,"aws"
,"kubernetes"
or"token"
.ca_cert
- (optional) Path to a PEM formatted CA certificate to use when verifying the Vault connection. Can alternatively be set toFalse
to ignore SSL verification (not recommended) orTrue
to use the system certificates.default_mount_point
- (optional / defaults to "secret") The default mount point of the K/V Version 2 secrets engine within Hashicorp Vault.kv_version
- (optional / defaults to "v2") The version of the KV engine to use, can bev1
orv2
k8s_token_path
- (optional) Path to the kubernetes service account token file. Defaults to "/var/run/secrets/kubernetes.io/serviceaccount/token".token
- (optional) Required when"auth_method": "token"
orauth_method
is not supplied. The token for authenticating the client with the HashiCorp Vault instance. As with other sensitive service credentials, we recommend that you provide thetoken
value as an environment variable and retrieve it with{"token": os.getenv("NAUTOBOT_HASHICORP_VAULT_TOKEN")}
rather than hard-coding it in yournautobot_config.py
.role_name
- (optional) Required when"auth_method": "kubernetes"
, optional when"auth_method": "aws"
. The Vault Kubernetes role or Vault AWS role to assume which the pod's service account has access to.role_id
- (optional) Required when"auth_method": "approle"
. As with other sensitive service credentials, we recommend that you provide therole_id
value as an environment variable and retrieve it with{"role_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_ROLE_ID")}
rather than hard-coding it in yournautobot_config.py
.secret_id
- (optional) Required when"auth_method": "approle"
.As with other sensitive service credentials, we recommend that you provide thesecret_id value
as an environment variable and retrieve it with{"secret_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_SECRET_ID")}
rather than hard-coding it in yournautobot_config.py
.login_kwargs
- (optional) Additional optional parameters to pass to the login method forapprole
,aws
andkubernetes
authentication methods.namespace
- (optional) Namespace to use for theX-Vault-Namespace
header on all hvac client requests. Required when theNamespaces
feature is enabled in Vault Enterprise.
Multiple Hashicorp Vaults¶
??? version-added "Added in version 3.1.0"
Hashicorp Provider now supports using multiple vaults (configurations). You will be able to choose the vault when creating a secret, For example, you could have one vault using approle
authentication, and a second vault using token
authentication in combination with a different default mount point:
PLUGINS_CONFIG = {
"nautobot_secrets_providers": {
"hashicorp_vault": {
"vaults": {
"hashicorp_approle": {
"url": os.environ.get("HASHICORP_VAULT_URL"),
"auth_method": "approle",
"role_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_ROLE_ID"),
"secret_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_SECRET_ID"),
},
"hashicorp_v1_custom_mount": {
"url": os.environ.get("HASHICORP_VAULT_URL"),
"token": os.environ.get("HASHICORP_VAULT_TOKEN"),
"kv_version": "v1",
"default_mount_point": "secret_kv",
},
}
}
},
}
Note
If using this option, you should not have any keys except vaults
under hashicorp_vault
.