HashiCorp Cloud Platform
Copy secrets from HCP Vault Radar to Vault Enterprise
In the Correlate HCP Vault Radar findings with Vault Enterprise tutorial, you configured Vault to authenticate the Vault Radar agent deployed in your Kubernetes environment. This allows the Vault Radar agent to determine if the leaked secret is stored in your Vault Enterprise cluster.
In this tutorial, you will learn how to copy secrets found by Vault Radar scans into your Vault Enterprise cluster. Once you copy leaked secrets into your Vault cluster, you can remediate the leaked secrets in your data source and centrally manage the secrets in your Vault cluster.
Scenario
Oliver and the operations team deployed and configured the HCP Vault Radar agent in the HashiCups Kubernetes environment. The agent scans the HashiCups GitHub repositories for leaked secrets.
The CISO wants to centrally manage all secrets used by HashiCups in their HashiCorp Vault environment. In this tutorial, Oliver will configure the HCP Vault Radar agent to copy discovered secrets into their HashiCorp Vault cluster's key/value secrets engine.
If you are not familiar with Vault or Vault's secrets engines, follow the Vault foundations series of tutorials.
You will take on the role of Oliver to complete the configuration of the Vault Radar agent to copy secrets to HashiCorp Vault.
Prerequisites
Note
You must complete the Install HCP Vault Radar agent, and Correlate HCP Vault Radar findings with Vault Enterprise tutorials to have the resources available to complete this tutorial.
- Complete the Install HCP Vault Radar agent tutorial.
- Access to the HCP Portal with a user assigned the admin role.
- Access to an HCP Vault Dedicated cluster.
- Access to a GitHub account with an organization configured.
- Permission to create a GitHub personal access token.
- Docker installed and running.
- minikube installed on your local machine.
- Vault binary installed and configured in your system PATH.
- ngrok installed and configured with an auth token.
Update the lab setup
Copying secrets into Vault requires the create
, patch
, and update
capabilities on the path where you want to copy secrets to. In the correlate
findings tutorial, you created a policy that allows read
, and list
capabilities.
The Vault Radar agent also needs the AGENT_POLL_COPY_SECRETS_JOB_ENABLED
environment variable set to true
.
Update the
vault-radar-agent-policy
Vault policy to include the required capabilities for the key/value secrets engine mounted at the pathstatic
.$ vault policy write vault-radar-agent-policy - << EOF path "*" { capabilities = ["read", "list"] } # HCP Vault Radar copy secrets to kv secrets engine path "static/data/exampleapp/*" { capabilities = ["create", "read", "list", "patch", "update"] } EOF
Before you copy secrets from Vault Radar to Vault, you must mount the secrets engine at the desired path.
Update the Vault Radar agent deployment in your Kubernetes cluster to include the
AGENT_POLL_COPY_SECRETS_JOB_ENABLED
environment variable.$ kubectl set env deployment/vault-radar-agent \ --namespace vault-radar \ AGENT_POLL_COPY_SECRETS_JOB_ENABLED="true"
The Vault Radar agent deployment will roll out new pods automatically to pick up the new environment variable.
Configure HCP Vault Radar
The Vault Radar agent now has write access to the key/value secrets engine
mounted at the path static
. Next, you will configure HCP Vault Radar actions
to copy secrets into Vault.
Log into the HCP Portal
Click Vault Radar.
Click Settings.
Click Secret Managers.
Click the ellipses button under Actions and select Set access to read and write. Changing this setting shows the level of access that corresponds with the Vault policy you updated earlier in this tutorial.
Click Remediation.
Click the Actions tab.
Click Create actions.
Verify the URL of the HCP Vault Dedicated cluster under Existing secret manager connections.
Click Next.
On the Create actions, click Download template to download an example CSV template.
Open the CSV file and update it to match the values for your environment. The template includes the following columns:
- Resource: The URL of one or more data sources HCP Vault Radar scans for
leaked secrets. For this tutorial, the value is the GitHub repository
where you forked the
hcp-vault-radar-foundations
repository. - Secret manager: The location of the HCP Vault Dedicated or Vault Enterprise cluster, and the namespace where Vault Radar will copy the secrets. For this tutorial, the value is the public URL of your HCP Vault Dedicated cluster.
- Secret manager location: The path of the secrets engine where Vault Radar will copy the secrets. For this tutorial, the value is:
kv/static/secret-path/exampleapp
A Resource (for example a Git repository) can only have a single path Secret manager location path.
- Resource: The URL of one or more data sources HCP Vault Radar scans for
leaked secrets. For this tutorial, the value is the GitHub repository
where you forked the
Save the CSV file.
Click Choose File and select the completed form.
Warning
The create action upload is not additive. Uploading a new form removes and replaces earlier content with the contents of the new CSV file.
Click Upload and check content format.
When the validation completes and shows The file is validated., click Finish.
Import secrets
In the correlation tutorial, you mounted the key/value secrets engine and wrote
a username and password that matched the values in the
hcp-vault-radar-foundations
repository. To import secrets from Vault Radar to
Vault, you will update the repository with a new secret value.
Log into your GitHub account and navigate to the
main.go
file.For example,
https://github.com/example-org/hcp-vault-radar-foundations/blob/main/main.go
.Click the pencil icon to edit the file.
Change
b3stp@stw00rd3vA!
on line 12 tow0rstp@stw00rd3vA!
.Click Commit changes.
For the purposes of this tutorial, you can commit directly to the
main
branch. If your organization settings do not allow committing directly tomain
, create a branch and merge the branch intomain
.Return to the HCP Portal and navigate to the HCP Vault Radar console.
Click Resources.
Click hcp-vault-radar-foundations.
Click Schedule a rescan.
Wait for the Pending Scan status to change to the current date and time.
Under Category click Secrets.
Expand the MEDIUM finding with the date and time of the commit.
Unlike the correlation tutorial, there is no managed location because the password in Vault does not match the password in the GitHub repository.
Click checkbox for the MEDIUM finding with the date and time of the commit.
Click Store in secret manager.
Enter
password
in the Secret Key field.Append
creds2
to the path in the Store at field to store the secret in aClick Confirm and wait for the Storing secrets in progress dialog to complete.
Return to the terminal where you set the
VAULT_ADDR
environment variable.Verify Vault Radar wrote the secret to Vault.
$ vault kv list static/exampleapp Keys ---- creds creds2
With the password stored in Vault, you can update your source code to retrieve the secret from Vault instead of hardcoding it, and rotate the secret to a new secure value.
Clean up
If you plan to continue with the next tutorial, leave minikube and HCP Vault Dedicated running, and do not delete the forked repository.
Delete the minikube cluster.
$ minikube delete
Stop ngrok.
Stop the Kubernetes proxy.
Delete the HCP Vault Dedicated cluster.
Delete the forked GitHub repository from your GitHub organization.
Delete the GitHub personal access token created in this tutorial.
Summary
In this tutorial, you learned how to configure the HCP Vault Radar agent to
copy findings into HashiCorp Vault. You updated the Vault policy
vault-radar-agent-policy
with the required capabilities and updated the Vault
Radar agent deployment to enable the AGENT_POLL_COPY_SECRETS_JOB_ENABLED
environment variable.