HashiCorp Vault

Firefly can integrate with HashiCorp Vault to track secrets engines and configurations. This integration allows you to ensure your Vault setup follows infrastructure as code principles. The integration focuses on tracking Vault's configuration and setup, not the secrets themselves, aligning with infrastructure as code principles while maintaining security best practices.

Prerequisites

• HashiCorp Vault server with administrative access.

• Vault server address.

• A token with appropriate policies to read mounts and configurations.

• Access to create and manage policies.

• Ability to configure authentication methods.

Setup Procedure

1. Create Required Policy

1. Log in to your HashiCorp Vault account.

2. Navigate to Policies.

3. Create a new policy with the following permissions:

path "*"
{
  capabilities = ["read","list"]
}

path "auth/token/renew-self"
{
  capabilities = ["update"]
}

path "auth/token/create"
{
  capabilities = ["update", "create"]
}

2. Configure Authentication

1. Navigate to Access.

2. Enable a new auth method of type userpass.

3. Create a new user.

4. Attach the previously created policy to the user.

3. In Firefly

1. Go to Settings > Integrations.

2. Click Add New > HashiCorp Vault.

3. Enter a descriptive name in the Nickname field.

4. Enter the Vault endpoint address.

5. Enter the username and password for the user you created in step 2.

6. Click Next.

7. Click Done.

Configuration Details

• Firefly scans every 8 hours by default for SaaS data.

• Your HashiCorp Vault configurations list will stay updated automatically.

• You can enforce IaC or policies on your HashiCorp Vault assets.

• Supports monitoring of HashiCorp Vault secrets engines, authentication methods, mount points, and policy configurations.

Note: This integration focuses on tracking Vault's configuration and setup, not the secrets themselves. This approach aligns with infrastructure as code principles while maintaining security best practices.