HashiCorp Cloud Platform
Correlate findings with Vault
When a HCP Vault Dedicated or Vault Enterprise cluster is connected to the Vault Radar Agent, Radar findings can be correlated with secrets stored in Vault. This allows you to identify what secrets need to be rotated.
Connect a Vault cluster
Before you can correlate findings with Vault, you need to deploy the Radar agent. Once the agent is deployed, you can configured and connect Vault to the agent.
Create a Vault policy
Vault Radar requires the following capabilities:
- Validate tokens (using self-lookup API)
- List and read all namespaces
- List all auth methods and mounts in each namespace
- List all secrets in a KV secrets engine mount
- Read all the versions of a secret in a KV secret engine mount
A policy granting just the required level of access requires explicitly specifying the namespaces and KV mounts.
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Assumption: Namespaces are atmost 2 levels deep
path "sys/namespaces/*" {
capabilities = ["read", "list"]
}
path "+/sys/namespaces/*" {
capabilities = ["read", "list"]
}
path "+/+/sys/namespaces/*" {
capabilities = ["read", "list"]
}
path "sys/auth" {
capabilities = ["read"]
}
path "+/sys/auth" {
capabilities = ["read"]
}
path "+/+/sys/auth" {
capabilities = ["read"]
}
path "sys/mounts" {
capabilities = ["read"]
}
path "+/sys/mounts" {
capabilities = ["read"]
}
path "+/+/sys/mounts" {
capabilities = ["read"]
}
# Assumption: KV secret engine mounts are atmost 2 levels deep
path "+/metadata/*" {
capabilities = ["read", "list"]
}
path "+/+/metadata/*" {
capabilities = ["read", "list"]
}
path "+/+/+/metadata/*" {
capabilities = ["read", "list"]
}
path "+/+/+/+/metadata/*" {
capabilities = ["read", "list"]
}
path "+/data/*" {
capabilities = ["read"]
}
path "+/+/data/*" {
capabilities = ["read"]
}
path "+/+/+/data/*" {
capabilities = ["read"]
}
path "+/+/+/+/data/*" {
capabilities = ["read"]
}
For less restrictive environments, you can give broader permissions to Vault Radar.
A simple policy that grants Vault Radar broad access to your Vault cluster.
path "*" {
capabilities = ["read", "list"]
}
Agent configuration with Vault
A Vault cluster can be set up and managed from the Vault Radar module in the HCP Portal. Select Settings, then Index Sources, and then press the Add index source to begin.
- Select Vault and the Vault deployment type
- Provide you Vault cluster URL
- Select auth method and fill in details on the form, and select Next to validate the connection.
The Kubernetes authentication method enables Vault Radar to authenticate to Vault using Kubernetes service accounts. Use this method if you are running the Agent in a Kubernetes cluster.
- Follow the Vault Kubernetes authentication method documentation here.
- Replace
<your_cluster_host>and<ca_cert>with your cluster details.vault write auth/kubernetes/config \ kubernetes_host=https://<your_cluster_host> \ kubernetes_ca_cert=@<ca_cert> \ disable_local_ca_jwt=true - Bind Kubernetes service accounts to Vault roles. Replace
<role_name>,<service_account_name>and<namespace>with your setup details.vault write auth/kubernetes/role/<role_name> \ bound_service_account_names=<service_account_name> \ bound_service_account_namespaces=<namespace> \ policies=<vault_policy> - In the Vault Radar Agent configuration, set the Authentication Method to Kubernetes and provide the Authentication Path and Role Name where the Kubernetes role is configured.
