Use gateways to expose an integration
Plus tier
This feature is available in HCP Vault Secrets Plus tier.
Some rotating secret use cases involve integrations with services that aren't exposed to the internet,
for example, your local on-premises PostgreSQL cluster. To accommodate these use cases, HashiCorp introduced a
tool named vault-secrets-gateway
that makes the service accessible to HCP Vault Secrets. This is a
binary that you can run within your network, where it's
able to communicate with the service you want to auto-rotate secrets for.
Key concepts
- Gateways are running instances of
vault-secrets-gateway
. - Gateways pools are collections of gateways that run within the same network. These gateway pools can be attached to integrations.
- Integrations manage the authentication and connection details that HCP Vault Secrets uses to access third-party providers to create and revoke credentials.
How do gateways work?
Gateways connect to HCP and identify themselves as a gateway for a specific gateway pool. Gateway pool IDs can be provided when creating an integration in HCP Vault Secrets. When HCP Vault Secrets needs to perform a rotation operation for an integration that has an associated gateway pool, instead of trying to connect directly to the third-party provider defined in the integration, HCP Vault Secrets reaches out to the gateway. HCP Vault Secrets can't initiate connections to the gateway directly, but it can send messages to any gateways that have already connected to HCP and are waiting for a response to its question "does anyone need to connect to my integration?"
Gateway pool setup
There is currently no support for creating gateway-pools via the UI.
Run hcp vault-secrets gateway-pools create
to create a gateway pool.
Sensitive data
The creds.json
generated includes the client_secret
, used for the gateway to
connect to HCP, and is considered sensitive information.
The command will create a configuration file and a credentials file in the given output directory.
Create environment variables required by the gateway.
Installation
The gateway can be installed using Helm for Kubernetes environments, as a stand-alone Docker container, or manually by downloading the binary.
Add the Helm repository.
Install the helm chart.
Start the gateway
The vault-secrets-gateway
needs two things to run:
- the resource name of a gateway pool
- a way to authenticate to HCP, in the form of a credentials file or workload identity federation
Create a directory to store the credentials file and copy
creds.json
to it.Create a Kubernetes secret.
Install the helm chart.
Additional example
Here is a more complete configuration file example showing some optional configuration.
log_level
controls what log messages are emitteduse_hostname
adds a metadata "hostname" field to the gateway telemetry shared with HCP Vault Secrets; this can be useful for debugging, but is turned off by default for those who consider this too sensitivemetadata
defines key-value metadata pairs that are shared with HCP Vault Secrets, which are visible when doing a list-gateways request; this can be useful for debugging and identifying which gateway is whichhttp_port
exposes an HTTP listener that provides/liveness
and/ready
endpoints; this is mostly intended for use with the helm chartcert_path
specifies where to write the X.509 certificate used by the gateway
Gateway certificates
If cert_path
isn't provided as configuration, the following warning log message will appear in vault-secrets-gateway
's output:
As part of its self-initialization, once vault-secrets-gateway
authenticates to HCP, it will request an X.509
certificate from HCP Vault Secrets. Ideally, this certificate would be persisted to disk so that if restarted we can
avoid generating a new cert, but it's not essential, so we don't block startup if we can't persist it.
Why is this certificate needed?
It's used to encrypt the channel created between HCP Vault Secrets and vault-secrets-gateway
.
The HTTP requests vault-secrets-gateway
makes to HCP don't go to HCP Vault Secrets directly. Instead, both vault-secrets-gateway
and HCP Vault Secrets speak to a broker running within HCP. Using the certificate ensures that the broker is unable
to see any of the content of the communication, it only gets to see the wrapper information necessary to route
between them.
Rotating the service principal key
The service principal key is returned as the client_secret
field in the gateway pool creation response, when using the API.
Alternatively, it can be found in the creds.json
file created by the CLI command hcp vault-secrets gateway-pools create
.
When using the helm chart without workload identity federation, it will be present as a kubernetes secret.
If the service principal key is compromised, you should create a new one, update the gateway to use it, then delete the old one.
Creating a new key
The service principal ID of the gateway can be obtained using the GetGatewayPool
command, e.g. for a gateway named gp1
:
Use this to create a new creds.json file:
Replace your existing creds.json file in your gateway deployment with the new one. Restart the gateway and verify that
it's visible to HCP using list-gateways
.
Deleting the old key
List the keys to find the resource name of the old key to delete:
Then delete the key:
References
- UI/CLI/Terraform instructions
- Detailed CLI instructions for create key
- Detailed CLI instructions for delete key
Commands
create
- Create a new Vault Secrets Gateway Pool.list
- List Vault Secrets gateway pools.list-gateways
- List Vault Secrets gateway pools gateways.read
- Read a Vault Secrets gateway pool.update
- Update a Vault Secrets gateway pool.delete
- Delete a Vault Secrets gateway pool.