Skip to main content

HashiCorp Vault

Visualize Hashicorp Vault users and secret engines, map Vault users to employees, and monitor changes through queries and alerts.

Installation

This integration uses tokens for authentication, and you must have the proper policies for the engines you want to ingest.This integration can be used for both standalone (on-premise) Hashicorp Vault and Hashicorp Vault Cloud products.

::note JupiterOne requires userpass credentials. To use this integration, you need permission to create a user in HashiCorp Vault. :::

Configuration in HashiCorp Vault

  1. Acquire an authentication token to be used for the integration within JupiterOne. If you are using Vault Enterprise, note the provided API namespace. The namespace is optional field, though it is necessary for using the Cloud offering.
    info

    For more information on Hashicopr Vault tokens, see their documentation.

  2. Add the appropriate policies below for the secret engines you are using:

Creating a configuration requires the following:

About token/account The integration attempts to fetch token details to build the root entity/node. Therefore, the following role is needed:

`path "auth/token/lookup-self" {
    capabilities = ["read"]}`

About secret engines For the integration to be able to iterate through KV1, KV2 and Cubbyhole engines, the list capability is necessary for the paths you wish to enable.

For example, if you have KV1 enabled on path my_kv1_path, the following policy rule should be defined for the token you are using:

`path "my_kv1_path/*" {
    capabilities = ["list"]
}`

About users The integration can fetch all the users that exist in userpass authentication method. To do this, you need to make sure that userpass method of your choosing (if you have multiple) is defined in the policy assigned to the token.

For example, if you have userpass defined on path my-userpass-1/ and another userpass method defined on path my-userpass-2/ and you want the integration to fetch all of their users, the following two rules would be necessary:

# allows integration to detect this auth method
path "my-userpass-1/*" {
    capabilities = ["list"]
}

# allows integration to detect this auth method
path "my-userpass-2/*" {
    capabilities = ["list"]
}

# allows integration to access and read its users
path "auth/my-userpass-1/*" {
    capabilities = ["read", "list"]
}

# allows integration to access and read its users
path "auth/my-userpass-2/*" {
    capabilities = ["read", "list"]
}

Configuration in JupiterOne

To install the HashiCorp Vault integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select HashiCorp Vault. Click New Instance to begin configuring your integration with the following settings:

  • Account Name used to identify the HashiCorp Vault account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

  • Description to assist in identifying the integration instance, if desired.

  • Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

  • Your HashiCorp Vault Hostname, Vault Namespace, and Vault Token.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.