HashiCorp Vault
Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using HashiCorp Vault. This integration fetches credentials. For more information, see Managing Credentials .
This integration was integrated and tested with version 0.11.5 of HashiCorp Vault.
Configure HashiCorp Vault on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for HashiCorp Vault.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- HashiCorps server URL (e.g., https://192.168.0.1:8200 )
- Username
- Authentication token
- Trust any certificate (not secure)
- Use system proxy settings
- Fetches credentials - If set, the integration will fetch credentials from Vault to Demisto.
- CSV list of secrets engine types to fetch secrets from
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- List all secrets engines: hashicorp-list-secrets-engines
- List secrets for a KV V2 engine: hashicorp-list-secrets
- Get information for a secret: hashicorp-get-secret-metadata
- Delete data for a secret: hashicorp-delete-secret
- Undelete (restore) a secret: hashicorp-undelete-secret
- Permanently delete a secret: hashicorp-destroy-secret
- Disable a secrets engine: hashicorp-disable-engine
- Enable a new secrets engine: hashicorp-enable-engine
- List all configured policies: hashicorp-list-policies
- Get information for a policy: hashicorp-get-policy
- Seal a vault: hashicorp-seal-vault
- Unseal a vault: hashicorp-unseal-vault
- Configure a secrets engine: hashicorp-configure-engine
- Reset the engines configuration: hashicorp-reset-configuration
- Create a new authentication token: hashicorp-create-token
1. List all secrets engines
List all secrets engines that exist in HashiCorp Vault.
Base Command
hashicorp-list-secrets-engines
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
HashiCorp.Engine.Type | string | Secrets engine type |
HashiCorp.Engine.Path | string | Secrets engine path in HashiCorp |
HashiCorp.Engine.Description | string | Secrets engine description |
HashiCorp.Engine.Accessor | string | Secrets engine accessor |
Command Example
!hashicorp-list-secrets-engines
Context Example
{ "HashiCorp": { "Engine": [ { "Accessor": "transit_b0c1c4aa", "Path": "transit/", "Type": "transit" }, { "Accessor": "identity_adef7422", "Description": "identity store", "Path": "identity/", "Type": "identity" }, { "Accessor": "aws_32f92054", "Path": "aws/", "Type": "aws" }, { "Accessor": "kv_7d59edbc", "Path": "kv/", "Type": "kv" }, { "Accessor": "database_04257645", "Path": "database/", "Type": "database" }, { "Accessor": "kv_bef123ed", "Path": "test_1545739691984 /", "Type": "kv" }, { "Accessor": "kv_80cff632", "Path": "kv2/", "Type": "kv" }, { "Accessor": "kv_9078f614", "Path": "test_1545739444652 /", "Type": "kv" }, { "Accessor": "system_324bc58d", "Description": "system endpoints used for control, policy and debugging", "Path": "sys/", "Type": "system" }, { "Accessor": "kv_871d4cd3", "Description": "key/value secret storage", "Path": "secret/", "Type": "kv" }, { "Accessor": "kv_5c21978b", "Description": "hmm", "Path": "shtut/", "Type": "kv" }, { "Accessor": "ssh_6048cf80", "Path": "ssh/", "Type": "ssh" }, { "Accessor": "cubbyhole_6094de88", "Description": "per-token private secret storage", "Path": "cubbyhole/", "Type": "cubbyhole" }, { "Accessor": "totp_f0eb21f3", "Path": "totp/", "Type": "totp" }, { "Accessor": "azure_0216cdab", "Path": "azure/", "Type": "azure" }, { "Accessor": "kv_86acaa5f", "Path": "test_1545739510810 /", "Type": "kv" } ] } }
Human Readable Output
2. List secrets for a KV V2 engine
List secrets (names) for a specified KV engine.
Base Command
hashicorp-list-secrets
Input
Argument Name | Description | Required |
---|---|---|
engine | Engine path, e.g.,"secret/". Use the list-secrets-engines command to retrieve the engine path. command. | Required |
version | The version of the KV engine. | Optional |
Context Output
Path | Type | Description |
---|---|---|
HashiCorp.Secret.Path | string | Secret path |
Command Example
!hashicorp-list-secrets engine=secret/ version=2
Context Example
{ "HashiCorp": { "Secret": [ { "Path": "key2" }, { "Path": "test_secret" } ] } }
Human Readable Output
3. Get information for a secret
Returns information about a specified secret in a specified KV V2 engine.
Base Command
hashicorp-get-secret-metadata
Input
Argument Name | Description | Required |
---|---|---|
engine_path | KV Engine path, e.g., "kv/" | Required |
secret_path | Secret path, e.g., "secret" | Required |
Context Output
Path | Type | Description |
---|---|---|
HashiCorp.Secret.Created | date | Secret created time |
HashiCorp.Secret.Version.Destroyed | boolean | Is the version destroyed |
HashiCorp.Secret.Version.Created | number | Version creation time |
HashiCorp.Secret.Version.Deleted | date | Version deletion time |
HashiCorp.Secret.Updated | date | Secret last updated time |
HashiCorp.Secret.Engine | string | Secret engine type |
HashiCorp.Secret.CurrentVersion | number | Secret current version |
HashiCorp.Secret.Path | string | Secret path |
Command Example
!hashicorp-get-secret-metadata engine_path=secret/ secret_path=test_secret
Context Example
{ "HashiCorp": { "Secret": { "Created": "2018-12-23T13:36:43.441882322Z", "CurrentVersion": 2, "Engine": "secret/", "Path": "test_secret", "Updated": "2018-12-24T11:50:52.803923598Z", "Version": [ { "Created": "2018-12-23T13:36:43.441882322Z", "Deleted": "", "Destroyed": true, "Number": "1" }, { "Created": "2018-12-24T11:50:52.803923598Z", "Deleted": "", "Destroyed": false, "Number": "2" } ] } } }
Human Readable Output
4. Delete data for a secret
Deletes the data under a specified secret given the secret path. Performs a soft delete that allows you to run the hashicorp-undelete-secret command if necessary (for KV V2 engine).
Base Command
hashicorp-delete-secret
Input
Argument Name | Description | Required |
---|---|---|
secret_path | Secret path, e.g., "secret" | Required |
engine_path | Engine path, e.g.,"secret/" | Required |
versions | CSV list of secret versions to delete | Required |
Context Output
There is no context output for this command.
Command Example
!hashicorp-delete-secret engine_path=secret/ secret_path=test_secret versions=2
Human Readable Output
5. Undelete (restore) a secret
Undeletes (restores) a secret on HashiCorp (for KV V2 engine).
Base Command
hashicorp-undelete-secret
Input
Argument Name | Description | Required |
---|---|---|
secret_path | Secret path, e.g., "secret" | Required |
engine_path | Engine path, e.g.,"secret/" | Required |
versions | CSV list of secret versions to undelete (restore) | Required |
Context Output
There is no context output for this command.
Command Example
!hashicorp-undelete-secret engine_path=secret/ secret_path=test_secret versions=2
Human Readable Output
6. Permanently delete a secret
Permanently deletes a secret (for KV V2 engine).
Base Command
hashicorp-destroy-secret
Input
Argument Name | Description | Required |
---|---|---|
secret_path | Secret path, .e.g., "secret" | Required |
engine_path | Engine path, e.g.,"secret/" | Required |
versions | CSV list of secret versions to permanently delete | Required |
Context Output
There is no context output for this command.
Command Example
!hashicorp-destroy-secret engine_path=secret/ secret_path=test_secret versions=1
Human Readable Output
7. Disable a secrets engine
When a secrets engine is no longer needed, it can be disabled. All secrets under the engine are revoked and the corresponding vault data and configurations are removed.
Base Command
hashicorp-disable-engine
Input
Argument Name | Description | Required |
---|---|---|
path | Path of the secrets engine to disable | Required |
Context Output
There is no context output for this command.
Command Example
!hashicorp-disable-engine path=engine/
Human Readable Output
8. Enable a new secrets engine
Enables a new secrets engine at the specified path.
Base Command
hashicorp-enable-engine
Input
Argument Name | Description | Required |
---|---|---|
path | The path where the secrets engine will be mounted. | Required |
type | Type of backend. For example, "aws" | Required |
description | Human-friendly description of the mount. | Optional |
default_lease_ttl |
The default lease duration, specified as a string duration.
For example, "5s" or "30m" |
Optional |
max_lease_ttl |
The maximum lease duration, specified as a string duration.
For example, "5s" or "30m" |
Optional |
force_no_cache | Disable caching | Optional |
audit_non_hmac_request_keys | CSV list of keys that will not be HMAC'd by audit devices in the request data object. | Optional |
audit_non_hmac_response_keys | CSV list of keys that will not be HMAC'd by audit devices in the response data object. | Optional |
listing_visibility | Whether to show this mount in the UI-specific listing endpoint; "unauth" or "hidden", default is "hidden" Default is hidden. | Optional |
passthrough_request_headers | CSV list of headers to whitelist and pass from the request to the backend. | Optional |
kv_version | KV version to mount. Set to "2" for mount KV V2. | Optional |
local | Specifies if the secrets engine is a local mount only. Local mounts are not replicated, nor (if a secondary) removed by replication. Supported only in Vault Enterprise. | Optional |
seal_wrap | Enable seal wrapping for the mount. Supported only in Vault Enterprise. | Optional |
Context Output
There is no context output for this command.
Command Example
!hashicorp-enable-engine path=test_path type=kv description="this is a test"
Human Readable Output
9. List all configured policies
Lists all configured policies.
Base Command
hashicorp-list-policies
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
HashiCorp.Policy.Name | string | Policy name |
Command Example
!hashicorp-list-policies
Context Example
{ "HashiCorp": { "Policy": [ { "Name": "default" }, { "Name": "root" } ] } }
Human Readable Output
10. Get information for a policy
Get information for a policy.
Base Command
hashicorp-get-policy
Input
Argument Name | Description | Required |
---|---|---|
name | Policy name | Required |
Context Output
Path | Type | Description |
---|---|---|
HashiCorp.Policy.Name | string | Policy name |
HashiCorp.Policy.Rule.Path | string | Policy rule path |
HashiCorp.Policy.Rule.Capabilities | unknown | Policy rule capabilities |
Command Example
!hashicorp-get-policy name=default
Context Example
{ "HashiCorp": { "Policy": { "Name": "default", "Rule": [ { "Capabilities": [ "update" ], "Path": "sys/control-group/request" }, { "Capabilities": [ "update" ], "Path": "auth/token/renew-self" }, { "Capabilities": [ "update" ], "Path": "sys/tools/hash" }, { "Capabilities": [ "update" ], "Path": "auth/token/revoke-self" }, { "Capabilities": [ "read" ], "Path": "sys/internal/ui/resultant-acl" }, { "Capabilities": [ "update" ], "Path": "sys/wrapping/lookup" }, { "Capabilities": [ "read" ], "Path": "auth/token/lookup-self" }, { "Capabilities": [ "update" ], "Path": "sys/leases/renew" }, { "Capabilities": [ "read", "list", "delete" ], "Path": "secret/delete/*" }, { "Capabilities": [ "update" ], "Path": "sys/renew" }, { "Capabilities": [ "update" ], "Path": "sys/tools/random/*" }, { "Capabilities": [ "read", "delete" ], "Path": "secret" }, { "Capabilities": [ "update" ], "Path": "sys/capabilities-self" }, { "Capabilities": [ "create", "read", "update", "delete", "list" ], "Path": "cubbyhole/*" }, { "Capabilities": [ "read", "list" ], "Path": "sys/policies" }, { "Capabilities": [ "update" ], "Path": "sys/leases/lookup" }, { "Capabilities": [ "update" ], "Path": "sys/tools/hash/*" }, { "Capabilities": [ "update" ], "Path": "sys/wrapping/wrap" }, { "Capabilities": [ "update" ], "Path": "sys/tools/random" }, { "Capabilities": [ "read" ], "Path": "sys/mounts" }, { "Capabilities": [ "update" ], "Path": "sys/wrapping/unwrap" }, { "Capabilities": [ "read", "list" ], "Path": "sys/policy" }, { "Capabilities": [ "read", "list" ], "Path": "sys/policy/*" }, { "Capabilities": [ "read", "list" ], "Path": "sys/policies/*" }, { "Capabilities": [ "read", "delete" ], "Path": "secret/*" } ] } } }
Human Readable Output
11. Seal a vault
If you suspect your data has been compromised, you can seal your vault to prevent access to your secrets.
Base Command
hashicorp-seal-vault
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
!hashicorp-seal-vault
Human Readable Output
12. Unseal a vault
Use a single master key share to unseal the vault. If the master key shares threshold is met, vault will attempt to unseal the vault. Otherwise, this API must be called until the threshold is met.
Base Command
hashicorp-unseal-vault
Input
Argument Name | Description | Required |
---|---|---|
key | Single master key | Optional |
reset | Reset the unseal project | Optional |
Context Output
There is no context output for this command.
Command Example
!hashicorp-unseal-vault key=ABCD
Human Readable Output
13. Configure a secrets engine
Configure a secrets engine to fetch secrets from.
Base Command
hashicorp-configure-engine
Input
Argument Name | Description | Required |
---|---|---|
path | The engine path, e.g., "secret/" | Required |
type | The engine type, e.g., "KV" | Required |
version | The engine version (for KV engines); "1" or "2" | Optional |
Context Output
There is no context output for this command.
Command Example
!hashicorp-configure-engine path=secret/ type=KV version=2
Human Readable Output
14. Reset an engines configuration
Reset the engines configuration.
Base Command
hashicorp-reset-configuration
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
!hashicorp-reset-configuration
Human Readable Output
15. Create a new authentication token
Creates a new authentication token.
Base Command
hashicorp-create-token
Input
Argument Name | Description | Required |
---|---|---|
role_name | The name of the token role. | Optional |
policies | CSV list of policies for the token. This must be a subset of the policies belonging to the token making the request, unless root. If policies are not specified, all policies of the calling token are applied to the new token. | Optional |
meta | A map of string-to-string valued metadata. This is passed through to the audit devices. | Optional |
no_parent | If true and set by a root caller, the token will not have the parent token of the caller. This creates a token with no parent. | Optional |
no_default_policy | If true the default policy will not be included in this token's policy set; "true" or "false" | Optional |
renewable | If set to false, the token cannot be renewed past its initial TTL. If set to true, the token can be renewed up to the system/mount maximum TTL. "true" or "false" | Optional |
ttl | The TTL (lease duration) period of the token, provided as "10m" or "1h", where hour is the largest suffix. If not provided, the token is valid for the default lease TTL, or indefinitely if the root policy is used. | Optional |
explicit_max_ttl | If set, the token will have an explicit max TTL applied to it. The maximum token TTL cannot be changed later, and unlike with normal tokens, updates to the system/mount max TTL value will have no effect at renewal time. The token can never be renewed or used past the value set at issue time. | Optional |
display_name | The display name of the token. | Optional |
num_uses | The maximum number of times the token can be used. Supply this argument to create a one-time-token, or limited use token. The value of 0 has no limit to the number of uses. | Optional |
period | If specified, the token will be periodic; it will not have a maximum TTL (unless an "explicit-max-ttl" is also set), but every renewal will use the given period. Requires a root/sudo token to use. | Optional |
Context Output
Path | Type | Description |
---|---|---|
HashiCorp.Auth.Token | string | Authentication token |
HashiCorp.Auth.Policy | unknown | Authentication policies |
HashiCorp.Auth.LeaseDuration | number | Authentication lease duration in seconds, 0 if indefinitely |
Command Example
!hashicorp-create-token display_name=test_token policies=default ttl=40m
Context Example
{ "HashiCorp": { "Auth": { "LeaseDuration": 2400, "Policy": [ "default" ], "Token": "84naQ9M9UsbvPdjD72eDD9Ya" } } }
Human Readable Output
Additional Information
In order to fetch credentials from HashiCorp Vault, the relevant secrets engines must be configured with the integration so it can pull the data from them. To configure an engine with the integration, use the
configure-engine
command.
Known Limitations
Currently the integration is able to fetch credentials from the following engines:
K/V Versions 1,2
Cubbyhole
More engines will be supported in the future.
The following commands are limited to the K/V V2 engine:
- hashicorp-list-secrets
- hashicorp-get-secret-metadata
- hashicorp-delete-secret
- hashicorp-undelete-secret
- hashicorp-destroy-secret
Troubleshooting
If you receive an
404 Not Found
error, please make sure you specified the correct engine and secret paths. If you receive a permissions error, make sure your user is authorized to the relevant policies in HashiCorp Vault. For example, in order to view the list of secrets engines, permissions to the following path are required:
path "sys/mounts" { capabilities = ["read"] }
To view all relevant paths please refer to the Vault documentation .