Secret Stores
Allows you to retrieve credentials of individual servers from the Vault and authenticates a plug-in step in the deployment process.
Sometimes, we may need to provide user credentials in plug-in steps. For example,
start tomcat
plug-in step from Apache Tomcat plug-in. We also store
passwords as secured properties, for example DB credentials. To make deployments more
secure, instead of storing these passwords in DB, now you can store such information in
Hashicorp Vault. The HCL Launch secret
store enables you to retrieve and use that information during deployment without having
stored it in the database.
HCL Launch uses AppRole authetication, a Vault feature, that has a defined set of access. It uses role-id and secure-id as the master authentication mechanism, which allows HCL Launch to get the passwords that an approle has access to. For more information about the Vault Approle, refer to the Vault documentation.
The Vault secret store is different from HCL Launch secret store. HCL Launch secret stores can have multiple secret stores. Each secret store in HCL Launch can be connected to a vault server.
You can define an input property at any of the levels where secure passwords are allowed. For example, at application-level or at resource-level, you can retrieve password from the Vault using the below property:
${p:secret:vault:<secretStoreName>:<vaultAppRoleName>:<vaultSecretPath>:<vault-key>}