Secret stores

You can store user credentials in Hashicorp Vault and integrate with HCL DevOps Deploy (Deploy) to retrieve values from the Vault.

In Deploy, you store passwords as secured properties. For example, the database credentials. These passwords are stored in the database. Instead of storing the passwords in the database, you can store them in HashiCorp Vault. HashiCorp Vault is a third-party tool that stores and controls access to passwords and other secrets critical in modern computing.

The Deploy secret store enables you to retrieve user credentials during deployment without having stored the passwords in the database.

Deploy uses two types of Vault authentication methods:
  • App Roles - A role-based authentication mechanism where you have a defined set of access. AppRole uses RoleID and SecretID as the master authentication mechanism which allows Deploy to get the passwords that an AppRole can access. For information about the Vault AppRole, refer to the Vault AppRole auth documentation.
  • LDAP Users - An LDAP-based authentication mechanism to call LDAP users from the Vault secret store. For information about the Vault LDAP, refer to the Vault LDAP auth documentation.

The Deploy secret store is different from the Vault secret store. Deploy secret stores can have multiple secret stores. Each secret store in Deploy can connect to a different Vault server.

The secret store property

At times, you may need to retrieve values from Vault and add them to a plug-in step. For example, start tomcat plug-in step from the Apache Tomcat plug-in. After you create a Deploy secret store and add users to it, you can add an input property for Vault at any of the levels where secure passwords are allowed. For example, at application level or at resource level. You can use the Vault property in an automation or source configuration plug-in step.

You can retrieve user credentials from the Vault by using the following property in a plug-in step:

${p:secret:vault:<secretStoreName>:<vaultAppRoleNameorLDAPusername>:<vaultSecretPath>:<vault-key>}
Here,
  • <secretStoreName> is the name of the Deploy secret store.
  • <vaultAppRoleNameorLDAPusername> is the Vault AppRole name or LDAP user name whose credentials are required to run the plug-in step.
  • <vaultSecretPath> is the path to the Vault secret.
  • <vault-key> is the Vault key or property.

When the process runs, on reaching the step where the property is defined, the process validates and authenticates the credentials from the Vault.