Connections management vaults
7 min
internal vault in this scenario, connection details such as access keys, tokens, secret keys, and similar information are stored in our kyndryl internal vault using mongodb external vault for customers with their own vault configuration, the connection details are stored in the customer's vault however, the connection metadata is still retained in the kyndryl internal vault in these cases, all connections will be routed through the external vault, with kyndryl having read only access a reference id is generated and stored to connect to those credentials in the external vault therefore, all connections will go through the external vault, and kyndryl will have secure, read only access to the stored credentials, ensuring safety pre requisites the hashicorp vault instance must be accessible to in the dcp environment vault is configured with the appropriate authentication methods, such as app role and policies connection admin and platform viewer access must be granted to the connection manager the hashicorp role id and secret are currently active additionally, the tenant id of the account must be configured with the external vault configure connection manager to use the external vault configure to use external vault this configuration is specific to an account, and it is required since the vault adapter is deployed in the same cluster as the connection manager service api put api/security/v1/vaults/config \<font color="#f3f4f6">parameter\</font> \<font color="#f3f4f6">type\</font> \<font color="#f3f4f6">required\</font> \<font color="#f3f4f6">description\</font> name string yes name identifier for the external vault configuration client url string yes the url endpoint for the external vault adapter service make sure the client url is set to to \<dash base host>/api/security/v4/internal/externalvault adapter read only boolean no whether the vault connection is read only (default true) is default boolean no set this vault as the default credential provider is external boolean yes indicates this is an external vault configuration id string no unique identifier for the vault configuration configure external vault adapter for hashi corp vault for the account ensure the approle has permission to read secrets from the required paths make sure the roleid and secretid are generated by your hashicorp vault instance with appropriate policies the url must include the protocol api put /api/security/v4/internal/externalvault adapter/configs \<font color="#f3f4f6">parameter\</font> \<font color="#f3f4f6">type\</font> \<font color="#f3f4f6">required\</font> \<font color="#f3f4f6">description\</font> id string yes tenant identifier (typically the account/tenant id) type string yes vault type identifier (must be “hashicorp”) config credentials roleid string yes hashi corp vault approle role id config credentials secretid string yes hashi corp vault approlesecret id config configuration namespace string no vault namespace (for vault enterprise) config configuration url string yes hashi corp vault server address read only boolean no whether the adapter should operate in read only mode (default true) apis when using external vault configuration, the credentials array remains empty and credrefid is mandatory the reference id must always be a base64 encoded string, as the /character cannot be parsed in the api path the reference id will be decoded while accessing the vault api post /api/security/v3/connections \<font color="#f3f4f6">parameter\</font> \<font color="#f3f4f6">type\</font> \<font color="#f3f4f6">required\</font> \<font color="#f3f4f6">description\</font> credrefid string yes reference id of the secret in vault base64 encoded string displayname string yes display name for the connection connectioncategory string yes category of connection (e g , “cloudprovider”) brokers array yes list of broker services that can access this connection provider type string yes provider type (e g , “aws”,“azure”, “gcp”) provider credentials array yes credentials array (empty when using external vault) provider configdata object yes provider specific configuration data provider configdata accountnumber string yes cloud provider account number provider configdata additionalinfo string no additional configuration information retrieve credentials in clear text api get /api/security/v3/internal/connections/\<connectionid the secret stored at the hashi corp vault must match the provider metadata of the this is the standard request format for hashi corp vault { "data" {}, "options" {}, "version" 0 } gcp provider secrets must be stored in the format below "data" { "servicekey" "begin ewogicj0exblijoginnlcnzpy2vfywnjb3vudcisciaginbyb2ply3rfawqioiaibwntcc1kzxytzglzcixmdm1ndiznzu2odi2ndc4njg1njmilaogicjhdxrox3vyaeduwov9jzxj0x3vybci6icjodhrwczovl3d3dy5nb29nbgvhcglzlmnvbs9yb2jvdc92ms9tzxrhzgf0ys94nta5l2nklxnlcnzpy2utywnjb3vudcu0mg1jbxatzgv2lwrpc2nvdmvyes5pyw0uz3nlcnzpy2vhy2nvdw50lmnvbsikfqo end" }, "options" {}, "version" 0 } aws provider secrets must be stored in the format below { "data" { "accesskey" "\<access key>", "secretkey" "\<secret key>" }, "options" {}, "version" 0