You can store the AWS credentials for an S3-compatible snapshot store in the Ops Manager application database or in HashiCorp Vault. When you store credentials in a key vault, Ops Manager fetches them from HashiCorp Vault on demand. On-demand retrieval helps you centralize, rotate, and audit sensitive credentials.
Ops Manager supports HashiCorp Vault and local credential storage. You choose which method to use for each S3-compatible snapshot store.
Credential Storage Options
Ops Manager supports two credential storage locations for an S3-compatible snapshot store:
Storage Location | Description |
|---|---|
AppDB | Ops Manager stores the AWS access key and secret key in the Ops Manager application database. AppDB is the default method and doesn't require HashiCorp Vault. |
Key Vault | Ops Manager reads the AWS access key and secret key from HashiCorp Vault on demand. Ops Manager stores only the path to each secret, not the secret value. |
Use a key vault when your security or audit requirements call for a centralized secret manager. Use AppDB when you do not use HashiCorp Vault.
How Ops Manager Uses HashiCorp Vault
To use HashiCorp Vault for S3-compatible snapshot store credentials, you must complete two configuration tasks:
Create a key vault configuration that stores the connection and authentication details for your HashiCorp Vault server. To learn how, see Configure a Key Vault for Snapshot Stores.
Configure an S3-compatible snapshot store to use the key vault. You specify the key vault, the path to the AWS access key, and the path to the AWS secret key. Ops Manager reads the credentials from the key vault and passes them to AWS S3. To learn how, see Add One S3-Compatible Snapshot Store.
Ops Manager authenticates to HashiCorp Vault with either a token or a
JWT. Ops Manager then reads the AWS access key and secret key from the
secret paths that you specify for the snapshot store. You provide each
path in the form <secret-path>/<key>.
Credential Retrieval and Caching
Ops Manager reads the AWS access key and secret key from HashiCorp Vault and caches them in memory. Ops Manager doesn't store these credentials in the Ops Manager application database.
By default, Ops Manager refreshes a cached credential every five
minutes. To change this interval, set the
mms.keyVault.secret.cacheSoftTtlMs property.
If HashiCorp Vault is unavailable when Ops Manager refreshes a cached credential, Ops Manager keeps using the last known credential and logs the event, so existing backups continue. If no cached credential exists and Ops Manager can't reach HashiCorp Vault, the operation that needs the credential fails.
Important
Ops Manager doesn't have an alert specifically for HashiCorp Vault availability. If Vault becomes unreachable and no cached credential remains, the resulting backup failures trigger the same backup alerts that apply to any failed backup job. Configure backup alerts to receive them. To learn how, see Configure Alert Settings.
When Ops Manager validates an S3-compatible snapshot store that uses a key vault and S3
returns a 401 or 403 error, Ops Manager refreshes the credentials
from HashiCorp Vault once, then retries. If the retry also fails,
Ops Manager returns an error and the validation fails.
Security
Ops Manager protects your HashiCorp Vault authentication details as follows:
Ops Manager encrypts the Vault authentication secret at rest with the
gen.keyfile, the same method that Ops Manager uses for other integrations.Ops Manager redacts the Vault authentication secret and any custom certificate in API responses and in the Ops Manager console. Ops Manager returns
[REDACTED]instead of the stored value.
Requirements
To use HashiCorp Vault for S3-compatible snapshot store credentials, you need:
A reachable HashiCorp Vault deployment.
Vault policies, roles, and secret paths that grant Ops Manager read-only access to the AWS credentials.
Secure, reliable network connectivity between Ops Manager, the Backup Daemon, and HashiCorp Vault.
Migrate Existing Snapshot Stores to HashiCorp Vault
To switch an existing S3-compatible snapshot store from local credentials to HashiCorp Vault:
Create a key vault configuration, as described in Configure a Key Vault for Snapshot Stores.
Edit the S3-compatible snapshot store and set its credential storage location to the key vault, as described in Edit One Existing S3-Compatible Snapshot Store.