Skip to main content

Vault

Hashicorp Vault is an extension of the Privileged Access Management Service providing additional authentication methods commonly used in Cloud and Dev/Ops where the Secret Server SDK is not appropriate or technically feasible.

Vault use is optional, secrets are only synchronized to Vault if requested. All secrets are stored in Secret Server, and edits including password changes should occur there. After a secret Create or Edit event in a synchronized folder occurs, the secret is created or updated in the Vault KV Secrets Engine.

The Vault Production environment is available at vault.pam.osu.edu and provides three application interfaces.

Vault UI -- https://vault.pam.osu.edu/ui/ can be used interactively with the Userpass authentication method to validate secret data. Vault CLI -- configure Vault_ADDR : https://vault.pam.osu.edu/ Vault API -- https://vault.pam.osu.edu/v1/

Authentication

All vault clients regardless of method must authenticate and will receive a Vault Token with a 20 minute TTL. This token is used to Authenticate and Authorize subsequent requests. Vault assigns identity and a set of policies to this token. In all cases, Vault will enforce authentication as part of the request processing. In most cases, Vault will delegate the authentication administration and decision to the relevant configured external auth method (e.g., Amazon Web Services, Google Cloud Platform, Kubernetes, Microsoft Azure …).

Having multiple auth methods enables you to use a method that makes the most sense for your use case of Vault.

Currently the PAM team supports these authentication methods:

PAM Managed Username & Password (Userpass) Certificates via mTLS (Certauth) AWS IAM Role Kubernetes Service Account (in testing)

 

Helpful Note:

By default, all entities are configured with userpass and certauth authentication methods.

To learn more about Vault Authentication, see the Vault Authentication Topic

Secret Synchronization

Secrets are synchronized to Vault after a secret Create or Edit event occurs in a target folder in Secret Server. The Secret Synchronization Automation is applied to folders individually (with no inheritance) and by request only. To request a folder be synchronized to Vault email pamsupport@osu.edu.

Vault Secret Access

Vault clients can access a secret after obtaining a valid Vault Token issued to the Vault Entity. This token contains the policy and permissions assigned to the Vault Entity.

Each secret when synchronized from Secret Server is written to a unique path. The path is: /pam/data/<folder_code>/<secret_ID>