Copy secrets from HCP Vault Radar to Vault Enterprise

7min
|
HCP
Vault

In the Correlate HCP Vault Radar findings with Vault Enterprise tutorial, you configured Vault to authenticate the Vault Radar agent deployed in your Kubernetes environment. This allows the Vault Radar agent to determine if the leaked secret is stored in your Vault Enterprise cluster.

In this tutorial, you will learn how to copy secrets found by Vault Radar scans into your Vault Enterprise cluster. Once you copy leaked secrets into your Vault cluster, you can remediate the leaked secrets in your data source and centrally manage the secrets in your Vault cluster.

Scenario

Oliver and the operations team deployed and configured the HCP Vault Radar agent in the HashiCups Kubernetes environment. The agent scans the HashiCups GitHub repositories for leaked secrets.

The CISO wants to centrally manage all secrets used by HashiCups in their HashiCorp Vault environment. In this tutorial, Oliver will configure the HCP Vault Radar agent to copy discovered secrets into their HashiCorp Vault cluster's key/value secrets engine.

If you are not familiar with Vault or Vault's secrets engines, follow the Vault foundations series of tutorials.

You will take on the role of Oliver to complete the configuration of the Vault Radar agent to copy secrets to HashiCorp Vault.

Prerequisites

Note

You must complete the Install HCP Vault Radar agent, and Correlate HCP Vault Radar findings with Vault Enterprise tutorials to have the resources available to complete this tutorial.

Complete the Install HCP Vault Radar agent tutorial.
Access to the HCP Portal with a user assigned the admin role.
Access to an HCP Vault Dedicated cluster.
Access to a GitHub account with an organization configured.
Permission to create a GitHub personal access token.
Docker installed and running.
minikube installed on your local machine.
Vault binary installed and configured in your system PATH.
ngrok installed and configured with an auth token.

Update the lab setup

Copying secrets into Vault requires the create, patch, and update capabilities on the path where you want to copy secrets to. In the correlate findings tutorial, you created a policy that allows read, and list capabilities.

The Vault Radar agent also needs the AGENT_POLL_COPY_SECRETS_JOB_ENABLED environment variable set to true.

Update the vault-radar-agent-policy Vault policy to include the required capabilities for the key/value secrets engine mounted at the path static.

$ vault policy write vault-radar-agent-policy - << EOF
path "*" {
    capabilities = ["read", "list"]
}
# HCP Vault Radar copy secrets to kv secrets engine
path "static/data/exampleapp/*" {
    capabilities = ["create", "read", "list", "patch", "update"]
}
EOF

Before you copy secrets from Vault Radar to Vault, you must mount the secrets engine at the desired path.

Update the Vault Radar agent deployment in your Kubernetes cluster to include the AGENT_POLL_COPY_SECRETS_JOB_ENABLED environment variable.
```
$ kubectl set env deployment/vault-radar-agent \
   --namespace vault-radar \
   AGENT_POLL_COPY_SECRETS_JOB_ENABLED="true"
```
The Vault Radar agent deployment will roll out new pods automatically to pick up the new environment variable.

Configure HCP Vault Radar

The Vault Radar agent now has write access to the key/value secrets engine mounted at the path static. Next, you will configure HCP Vault Radar actions to copy secrets into Vault.

Log into the HCP Portal
Click Vault Radar.
Click Settings.
Click Secret Managers.
Click the ellipses button under Actions and select Set access to read and write. Changing this setting shows the level of access that corresponds with the Vault policy you updated earlier in this tutorial.
Click Remediation.
Click the Actions tab.
Click Create actions.
Verify the URL of the HCP Vault Dedicated cluster under Existing secret manager connections.
Click Next.
On the Create actions, click Download template to download an example CSV template.
Open the CSV file and update it to match the values for your environment. The template includes the following columns:
- Resource: The URL of one or more data sources HCP Vault Radar scans for leaked secrets. For this tutorial, the value is the GitHub repository where you forked the hcp-vault-radar-foundations repository.
- Secret manager: The location of the HCP Vault Dedicated or Vault Enterprise cluster, and the namespace where Vault Radar will copy the secrets. For this tutorial, the value is the public URL of your HCP Vault Dedicated cluster.
- Secret manager location: The path of the secrets engine where Vault Radar will copy the secrets. For this tutorial, the value is:
```
kv/static/secret-path/exampleapp
```
A Resource (for example a Git repository) can only have a single path Secret manager location path.
Save the CSV file.
Click Choose File and select the completed form.
Warning
The create action upload is not additive. Uploading a new form removes and replaces earlier content with the contents of the new CSV file.
Click Upload and check content format.
When the validation completes and shows The file is validated., click Finish.

Import secrets

In the correlation tutorial, you mounted the key/value secrets engine and wrote a username and password that matched the values in the hcp-vault-radar-foundations repository. To import secrets from Vault Radar to Vault, you will update the repository with a new secret value.

Log into your GitHub account and navigate to the main.go file.
For example, https://github.com/example-org/hcp-vault-radar-foundations/blob/main/main.go.
Click the pencil icon to edit the file.
Change b3stp@stw00rd3vA! on line 12 to w0rstp@stw00rd3vA!.
Click Commit changes.
For the purposes of this tutorial, you can commit directly to the main branch. If your organization settings do not allow committing directly to main, create a branch and merge the branch into main.
Return to the HCP Portal and navigate to the HCP Vault Radar console.
Click Resources.
Click hcp-vault-radar-foundations.
Click Schedule a rescan.
Wait for the Pending Scan status to change to the current date and time.
Under Category click Secrets.
Expand the MEDIUM finding with the date and time of the commit.
Unlike the correlation tutorial, there is no managed location because the password in Vault does not match the password in the GitHub repository.
Click checkbox for the MEDIUM finding with the date and time of the commit.
Click Store in secret manager.
Enter password in the Secret Key field.
Append creds2 to the path in the Store at field to store the secret in a
Click Confirm and wait for the Storing secrets in progress dialog to complete.
Return to the terminal where you set the VAULT_ADDR environment variable.
Verify Vault Radar wrote the secret to Vault.
```
$ vault kv list static/exampleapp
Keys
----
creds
creds2
```
With the password stored in Vault, you can update your source code to retrieve the secret from Vault instead of hardcoding it, and rotate the secret to a new secure value.

Clean up

If you plan to continue with the next tutorial, leave minikube and HCP Vault Dedicated running, and do not delete the forked repository.

Delete the minikube cluster.
```
$ minikube delete
```
Stop ngrok.
Stop the Kubernetes proxy.
Delete the HCP Vault Dedicated cluster.
Delete the forked GitHub repository from your GitHub organization.
Delete the GitHub personal access token created in this tutorial.

Summary

In this tutorial, you learned how to configure the HCP Vault Radar agent to copy findings into HashiCorp Vault. You updated the Vault policy vault-radar-agent-policy with the required capabilities and updated the Vault Radar agent deployment to enable the AGENT_POLL_COPY_SECRETS_JOB_ENABLED environment variable.

Additional resources

Correlate findings with Vault

Explore tutorial library