Storing proxy credentials in HashiCorp Vault - BlueCat Cloud Resolver - 1.7.2

BlueCat Cloud Resolver Administration Guide
ft:locale
en-US
Product name
BlueCat Cloud Resolver
Version
1.7.2
When configuring Cloud Resolver to retrieve the proxy credentials from a hosted HashiCorp Vault server, you must configure the following configuration parameters:
  • CRS_VAULT_TYPE: The value must be set to hcv_approle to indicate that the vault service is provided by HashiCorp Vault.
  • CRS_HCV_BASE_URL: The URL and port of the HashiCorp Vault server. For example, if you are running the server locally, enter http://127.0.0.1:8200.
  • CRS_HCV_LOGIN_PATH: The login path of the HashiCorp Vault server. The value must be set to /v1/auth/approle/login.
  • CRS_HCV_SECRET_PATH: The path where you have stored the secrets within the HashiCorp Vault server. You can enter the path to locations where DNS Edge credentials and discovery secrets are stored.

    Cloud Resolver uses the HashiCorp Vault API to look up secrets. You must prefix paths with /v1/. For example, if secrets are stored within the secret/data/cloudresolver path, the CRS_HCV_SECRET_PATH value would be "/v1/secret/data/cloudresolver".

  • CRS_HCV_ROLE_ID: The ID of the role that you would like to use to authenticate against HashiCorp Vault. For more information, refer to https://developer.hashicorp.com/vault/api-docs/auth/approle#read-approle-role-id.
  • CRS_HCV_SECRET_ID: The secret ID generated from the role ID that is used to authenticate against HashiCorp Vault. For more information, refer to https://developer.hashicorp.com/vault/api-docs/auth/approle#generate-new-secret-id.
  • CRS_HCV_NAMESPACE (required if using HashiCorp Vault namespaces): If you are using a namespace, the value is the namespace where the user's secrets are stored in the vault. For more information, refer to https://developer.hashicorp.com/vault/docs/enterprise/namespaces.
  • CRS_VAULT_PROXY_USER_KEY: The value of the user key credential in HashiCorp Vault.
  • CRS_VAULT_PROXY_PASS_KEY: The value of the password key credential in HashiCorp Vault.

For more information about configuring key credentials, refer to https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-first-secret.

The following is an example cloud-resolver.conf file with the configuration parameters to retrieve proxy credentials stored on a local HashiCorp Vault server:
CRS_VAULT_TYPE="hcv_approle"
CRS_HCV_BASE_URL="http://127.0.0.1:8200"
CRS_HCV_LOGIN_PATH="/v1/auth/approle/login"
CRS_HCV_SECRET_PATH="/v1/secret/data/cloudresolver"
CRS_HCV_ROLE_ID="12abc3d4-5e67-fa89-0bc1-de21f93a219b"
CRS_HCV_SECRET_ID="71eef5c0-9c97-bb69-b4d5-fb21c09e876d"
CRS_VAULT_PROXY_USER_KEY="CRS_PROXY_USER"
CRS_VAULT_PROXY_PASS_KEY="CRS_PROXY_PASS"