HashiCorp Cloud Platform
Correlate findings with Vault
When a HCP Vault Dedicated or Vault Enterprise cluster connects to the Vault Radar Agent, Radar can correlate findings with secrets stored in Vault. This allows you to identify what secrets that you need to rotate.
Connect a Vault cluster
Before you can correlate findings with Vault, you need to deploy the Radar agent. Once you deploy the agent, you can configured and connect Vault to the agent.
Create a Vault policy
Vault Radar requires the following capabilities:
- Validate tokens (using self-lookup API)
- List and read all namespaces
- List all auth methods and mounts in each namespace
- List all secrets in a KV secrets engine mount
- Read all the versions of a secret in a KV secret engine mount
A policy granting just the required level of access requires explicitly specifying the namespaces and KV mounts.
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Assumption: Namespaces are atmost 2 levels deep
path "sys/namespaces/*" {
capabilities = ["read", "list"]
}
path "+/sys/namespaces/*" {
capabilities = ["read", "list"]
}
path "+/+/sys/namespaces/*" {
capabilities = ["read", "list"]
}
path "sys/auth" {
capabilities = ["read"]
}
path "+/sys/auth" {
capabilities = ["read"]
}
path "+/+/sys/auth" {
capabilities = ["read"]
}
path "sys/mounts" {
capabilities = ["read"]
}
path "+/sys/mounts" {
capabilities = ["read"]
}
path "+/+/sys/mounts" {
capabilities = ["read"]
}
# Assumption: KV secret engine mounts are atmost 2 levels deep
path "+/metadata/*" {
capabilities = ["read", "list"]
}
path "+/+/metadata/*" {
capabilities = ["read", "list"]
}
path "+/+/+/metadata/*" {
capabilities = ["read", "list"]
}
path "+/+/+/+/metadata/*" {
capabilities = ["read", "list"]
}
path "+/data/*" {
capabilities = ["read"]
}
path "+/+/data/*" {
capabilities = ["read"]
}
path "+/+/+/data/*" {
capabilities = ["read"]
}
path "+/+/+/+/data/*" {
capabilities = ["read"]
}
For less restrictive environments, you can give broader permissions to Vault Radar.
A simple policy that grants Vault Radar broad access to your Vault cluster.
path "*" {
capabilities = ["read", "list"]
}
Agent configuration with Vault
Set up and manage a Vault cluster from the Vault Radar module in the HCP Portal. Select Settings, then Index Sources, and then press the Add index source to begin.
- Select Vault and the Vault deployment type
- Provide you Vault cluster URL
- Select auth method and fill in details on the form, and select Next to validate the connection.
The Kubernetes authentication method enables Vault Radar to authenticate to Vault using Kubernetes service accounts. Use this method if you are running the Agent in a Kubernetes cluster.
Follow the Vault Kubernetes authentication method documentation here.
Replace
<your_cluster_host>and<ca_cert>with your cluster details.vault write auth/kubernetes/config \ kubernetes_host=https://<your_cluster_host> \ kubernetes_ca_cert=@<ca_cert> \ disable_local_ca_jwt=trueBind Kubernetes service accounts to Vault roles. Replace
<role_name>,<service_account_name>and<namespace>with your setup details.vault write auth/kubernetes/role/<role_name> \ bound_service_account_names=<service_account_name> \ bound_service_account_namespaces=<namespace> \ policies=<vault_policy>In the Vault Radar Agent configuration, set the Authentication Method to Kubernetes and enter the Authentication Path and Role Name where you configured the Kubernetes role.
