HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Copy leaked secrets into HashiCorp Vault

Vault Radar helps you identify leaked secrets in your code. You can start the remediation process by copying these secrets into a Vault.

Prerequisites

Before you begin, you need the following:

Note

Only Agent-based data sources are supported for this feature at this time.

Resource Based Access Control (RBAC)

The copy secrets feature does support RBAC. A user can be assigned a Resource Contributor role to a specific Resource(s). When visiting the Vault Radar portal the user will only be allowed to copy secrets for the Resource(s) they have access to.

For more information on RBAC and how to configure it, see the Configure HCP user permissions documentation.

Vault configuration

Copying secrets into Vault requires the create, patch, and update capabilities on the path where you want to copy secrets to.

This is an example policy that allows the Vault Radar agent to copy secrets to any secrets engine mount point.

# HCP Vault Radar agent correlation policy
path "*" {
    capabilities = ["read", "list"]
}

# HCP Vault Radar copy secrets
path "secret/+/*" {
    capabilities = ["create", "read", "list", "patch", "update"]
}

Update the policy used by the Vault auth method that authenticates the Vault Radar agent with Vault.

Configure a remediation action

Once you have the Vault Radar agent running and configured with a policy that permits writing to Vault, you can configure Vault Radar to import secrets.

  1. Log into the HCP Portal

  2. Click Vault Radar.

  3. Click Settings.

  4. Click Remediation.

  5. Click the Actions tab

  6. Click Create actions. Navigate to the actions page

  7. Verify your desired Vault cluster is in the list and click Next.

    Note

    If you do not see the Vault cluster you want to use, please follow the instructions in the Configure a secret manager section.

    Create action for listed Vault cluster

  8. On the Create actions, click Download template to download an example CSV template. Navigate to the actions page

  9. Update the CSV file to match the values for your environment. The template includes the following columns:

    • Resource: The URL of one or more data sources HCP Vault Radar scans for leaked secrets.
    • Secret manager: The location of the HCP Vault Dedicated or Vault Enterprise cluster, and the namespace where Vault Radar will copy the secrets. More information here.
    • Secret manager location: The path of the secrets engine where Vault Radar will copy the secrets. More information here.

    Note

    Do not fill in the Annotation column. HCP Vault Radar uses this column to provide information to users if there is a problem with the configuration.

  10. Click Choose File and select the completed form.

  11. Click Upload and check content format. Successfully validated csv

    This shows you a report that includes any validation errors that may exist. Fix any reported errors and re-upload the form.

  12. Click Finish.

Warning

The create action upload is not additive. Uploading a new form removes and replaces earlier content with the contents of the new CSV file.

Copy secrets to secret manager

With the Vault Radar actions configured, you can begin copying secrets into Vault.

  1. Navigate to the Events page and select one or more events you'd like to remediate. Select events to remediate

  2. Select the Store in secret manager button to open a flyout menu. Set the key for the secret

  3. Populate the flyout menu with one or more key names for the selected events.

  4. Verify the Store at location for the target secret manager. You can edit the value if you want to store the secret in a different location. Location is editable

    Note

    If you edit the Store at location, be sure the assoicated Vault policy allows write access to that path.

  5. Click Confirm to start the copy operation.

    The copying will happen in the background. A notification banner should appear at the top of the page to indicate the operation was successful.

  6. Select a remediated event to see the managed location fields. You can also view the secret in Vault to confirm it was copied to the defined path. Example remediated event

Resource

The resource column is expecting a URI to a data source.

For git repositories, expects a URL including the protocol, domain, and respository.

git://<domain/path-to-repository>/<repository-name>.git

Example:

git://github.com/hashicorp/vault.git

Secret manager

The secret manager column expects a URI to a secret manager configured, including the port and namespace.

vault://<vault-cluster-url>:8200/<namespace>

Example:

vault://vault-cluster.hashicorp.com:8200/admin

Note

This should be the same URI location shown on Remediation > Actions page.

Secret manager location

The secret manager location column is expecting a delimited string that is going to act as the top level directory for any secret that is copied and belongs to the resource defined in the first column.

The string needs to be in the format:

Note

kv/ and /secret-path/ are required delimiters.

Note

You must create the mount path before copying secrets to Vault. The path to the secret does not have to exist. Pay attention to casing, as the path is case-sensitive.

kv/<mount-path>/secret-path/<path-to-secret>

Example:

kv/secret/secret-path/secrets-for-resource
Edit this page on GitHub