Save 10-15% Register for HashiConf and save big when you buy 2+ tickets Get your passes
Vault
Vault Home

Cassandra configuration for Vault backend storage

The Cassandra storage backend is used to persist Vault's data in an Apache Cassandra cluster.

  • No High Availability – the Cassandra storage backend does not support high availability.

  • Community Supported – the Cassandra storage backend is supported by the community. While it has undergone review by HashiCorp employees, they may not be as knowledgeable about the technology. If you encounter problems with it, you may be referred to the original author.

storage "cassandra" {
  hosts            = "localhost"
  consistency      = "LOCAL_QUORUM"
  protocol_version = 3
}

The Cassandra storage backend does not automatically create the keyspace and table. This sample configuration can be used as a guide, but you will want to ensure the keyspace replication options are appropriate for your cluster:

CREATE KEYSPACE "vault" WITH REPLICATION = {
    'class': 'SimpleStrategy',
    'replication_factor': 1
};

CREATE TABLE "vault"."entries" (
    bucket text,
    key text,
    value blob,
    PRIMARY KEY (bucket, key)
) WITH CLUSTERING ORDER BY (key ASC);

cassandra parameters

  • hosts (string: "127.0.0.1") – Comma-separated list of Cassandra hosts to connect to.

  • keyspace (string: "vault") Cassandra keyspace to use.

  • table (string: "entries") – Table within the keyspace in which to store data.

  • consistency (string: "LOCAL_QUORUM") Consistency level to use when reading/writing data. If set, must be one of "ANY", "ONE", "TWO", "THREE", "QUORUM", "ALL", "LOCAL_QUORUM", "EACH_QUORUM", or "LOCAL_ONE".

  • protocol_version (int: 2) Cassandra protocol version to use.

  • username (string: "") – Username to use when authenticating with the Cassandra hosts.

  • password (string: "") – Password to use when authenticating with the Cassandra hosts.

  • disable_initial_host_lookup (bool: false) - If set to true, Vault will not attempt to get host info from the system.peers table. It will instead connect to hosts supplied and will not attempt to look up the host information. This will mean that data_centre, rack and token information will not be available and as such host filtering and token aware query routing will not be available.

  • initial_connection_timeout (int: 0) - A timeout in seconds to wait until an initial connection is established with the Cassandra hosts. If not set, default value from Cassandra driver(gocql) will be used - 600ms

  • connection_timeout (int: 0) - A timeout in seconds for each query. If not set, default value from Cassandra driver(gocql) will be used - 600ms

  • simple_retry_policy_retries (int: 0) - Useful for Cassandra cluster with several nodes. If current master node is down request will be retried on the next node simple_retry_policy_retries times, and the client won't get an error.

  • tls (int: 0) – If 1, indicates the connection with the Cassandra hosts should use TLS.

  • pem_bundle_file (string: "") - Specifies a file containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.

  • pem_json_file (string: "") - Specifies a JSON file containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.

  • tls_skip_verify (int: 0) - If 1, then TLS host verification will be disabled for Cassandra. Defaults to 0.

  • tls_min_version (string: "tls12") - Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

Edit this page on GitHub