A key vault configuration stores the connection and authentication details that Ops Manager uses to read credentials from HashiCorp Vault. After you create a key vault, you can configure an S3-compatible snapshot store to read its AWS credentials from that key vault. To learn more, see HashiCorp Vault for Snapshot Store Credentials.
Prerequisites
Before you configure a key vault, you must have:
A reachable HashiCorp Vault deployment.
Vault policies, roles, and secret paths that grant Ops Manager read-only access to the AWS credentials.
Secure, reliable network connectivity between Ops Manager, the Backup Daemon, and HashiCorp Vault.
The
Global Ownerrole in Ops Manager.
Procedure
Provide the key vault details.
Field | Necessity | Description |
|---|---|---|
Key Vault Provider | Required | Select HashiCorp Vault. |
Vault Address | Required | Enter the address of your HashiCorp Vault server,
such as |
Vault Name | Required | Enter an identifier for this key vault configuration. |
Authentication Method | Required | Select the method that Ops Manager uses to authenticate to HashiCorp Vault:
|
Vault Token | Conditional | Enter the Vault token. Ops Manager displays this field when you set Authentication Method to Token. |
JWT Private Key | Conditional | Enter the PEM-formatted RSA private key that signs the JWT. Ops Manager displays this field when you set Authentication Method to JSON Web Tokens (JWT). |
JWT Claims | Conditional | Enter the |
Custom CA Certificate (Optional) | Optional | Click Select Certificate to upload a custom Certificate Authority certificate, in PEM format, for TLS verification. |
Send a request to the Key Vault endpoint.
Send a POST request to the
Create One Key Vault Configuration endpoint. Specify the
friendlyName, type, url, and auth fields.
curl --user '{PUBLIC-KEY}:{PRIVATE-KEY}' --digest \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --include \ --request POST 'https://<OpsManagerHost>:<Port>/api/public/v1.0/admin/keyVault?pretty=true' \ --data '{ "friendlyName": "myVault", "type": "HASHI_CORP", "url": "https://localhost:8200/", "auth": { "mechanism": "TOKEN", "secret": "<vault-token>" } }'