HashiCorp Cloud Platform
Copy leaked secrets into HashiCorp Vault
Vault Radar helps you identify leaked secrets in your code. You can start the remediation process by copying these secrets into a Vault.
Prerequisites
Before you begin, you need the following:
- The HCP Vault Radar agent is running and configured
- A HashiCorp Vault Enterprise or HCP Vault Dedicated cluster configured for the Vault Radar Agent
- A Datasource onboarded using the HCP Vault Radar agent
Note
Only Agent-based data sources are supported for this feature at this time.
Vault configuration
Copying secrets into Vault requires the create
, patch
, and update
capabilities on the path where you want to copy secrets to.
This is an example policy that allows the Vault Radar agent to copy secrets to any secrets engine mount point.
# HCP Vault Radar agent correlation policy
path "*" {
capabilities = ["read", "list"]
}
# HCP Vault Radar copy secrets
path "secret/+/*" {
capabilities = ["create", "read", "list", "patch", "update"]
}
Update the policy used by the Vault auth method that authenticates the Vault Radar agent with Vault.
Configure a remediation action
Once you have the Vault Radar agent running and configured with a policy that permits writing to Vault, you can configure Vault Radar to import secrets.
Log into the HCP Portal
Click Vault Radar.
Click Settings.
Click Remediation.
Click the Actions tab
Click Create actions.
Verify your desired Vault cluster is in the list and click Next.
Note
If you do not see the Vault cluster you want to use, please follow the instructions in the Configure a secret manager section.
On the Create actions, click Download template to download an example CSV template.
Update the CSV file to match the values for your environment. The template includes the following columns:
- Resource: The URL of one or more data sources HCP Vault Radar scans for leaked secrets.
- Secret manager: The location of the HCP Vault Dedicated or Vault Enterprise cluster, and the namespace where Vault Radar will copy the secrets. More information here.
- Secret manager location: The path of the secrets engine where Vault Radar will copy the secrets. More information here.
Note
Do not fill in the Annotation column. HCP Vault Radar uses this column to provide information to users if there is a problem with the configuration.
Click Choose File and select the completed form.
Click Upload and check content format.
This shows you a report that includes any validation errors that may exist. Fix any reported errors and re-upload the form.
Click Finish.
Warning
The create action upload is not additive. Uploading a new form removes and replaces earlier content with the contents of the new CSV file.
Copy secrets to secret manager
With the Vault Radar actions configured, you can begin copying secrets into Vault.
Navigate to the Events page and select one or more events you'd like to remediate.
Select the Store in secret manager button to open a flyout menu.
Populate the flyout menu with one or more key names for the selected events.
Verify the Store at location for the target secret manager. You can edit the value if you want to store the secret in a different location.
Note
If you edit the Store at location, be sure the assoicated Vault policy allows write access to that path.
Click Confirm to start the copy operation.
The copying will happen in the background. A notification banner should appear at the top of the page to indicate the operation was successful.
Select a remediated event to see the managed location fields. You can also view the secret in Vault to confirm it was copied to the defined path.
Resource
The resource column is expecting a URI to a data source.
For git repositories, expects a URL including the protocol, domain, and respository.
git://<domain/path-to-repository>/<repository-name>.git
Example:
git://github.com/hashicorp/vault.git
Secret manager
The secret manager column expects a URI to a secret manager configured, including the port and namespace.
vault://<vault-cluster-url>:8200/<namespace>
Example:
vault://vault-cluster.hashicorp.com:8200/admin
Note
This should be the same URI location shown on Remediation > Actions page.
Secret manager location
The secret manager location column is expecting a delimited string that is going to act as the top level directory for any secret that is copied and belongs to the resource defined in the first column.
The string needs to be in the format:
Note
kv/
and /secret-path/
are required delimiters.
Note
You must create the mount path before copying secrets to Vault. The path to the secret does not have to exist. Pay attention to casing, as the path is case-sensitive.
kv/<mount-path>/secret-path/<path-to-secret>
Example:
kv/secret/secret-path/secrets-for-resource