search

Obtaining key vault access credentials

The following describes how to obtain access credentials for Azure Key Vault, AWS Secrets Manager, and HashiCorp Key Vault. It comprises the following:

  1. Secret engine accessibility check

  2. Environment variables

  3. Azure Key Vault access credentials

  4. AWS Secrets Manager access credentials

  5. HashiCorp Key Vault access token

hashtag
Secret engine accessibility check

In most cases, the secret engine will be on a private network. Please ensure that the Client GW can access the secret engine if they are not in the same network.

hashtag
Environment Variables

Below is the complete list of environment variables to enable secrets engine in DDHub Client GW. Only one of its kind is needed depending on the vault of choice.

hashtag
Common Environment Variables

Key
Type
Default
Values
Description
Dependency

SECRETS_ENGINE

String

vault

vault

aws

azure

Key Vault to be used to store secrets

None

SECRET_PREFIX

String

ddhub/

Prefix to identify DDHub secrets from other secrets

None

hashtag
HashiCorp Environment Variables

circle-info

If SECRETS_ENGINE value above is vault, use the following environment variables.

Key
Type
Description
Dependency

VAULT_ENDPOINT

String

URL of the key vault service

SECRETS_ENGINE = vault

VAULT_TOKEN

String

Auth Token to be able to access endpoints of the key vault service

SECRETS_ENGINE = vault

hashtag
Azure Key Vault Environment Variables

circle-info

If SECRETS_ENGINE value above is azure, use the following environment variables.

Key
Type
Description
Dependency

AZURE_VAULT_URL

String

Vault URI for the Azure key vault resource

SECRETS_ENGINE = azure

AZURE_CLIENT_ID

String

Client ID for Azure Service Principal with access to the key vault resource

SECRETS_ENGINE = azure

AZURE_CLIENT_SECRET

String

Client Secret key for Azure Service Principal with access to the key vault resource

SECRETS_ENGINE = azure

AZURE_TENANT_ID

String

Tenant ID for Azure Service Principal

SECRETS_ENGINE = azure

hashtag
AWS Key Manager Environment Variables

circle-info

If SECRETS_ENGINE value above is aws, use the following environment variables.

Key
Type
Description
Dependency

AWS_REGION

String

Region for AWS Secrets Manager resource

SECRETS_ENGINE = aws

AWS_ACCESS_KEY_ID

String

Access Key ID of IAM user with access to the secret manager

SECRETS_ENGINE = aws

AWS_SECRET_ACCESS_KEY

String

Secret Access Key of IAM user with access to the secret manager

SECRETS_ENGINE = aws

PreviousDeploy Postgres using a Helm chartNextAzure Key Vault access credentials

Last updated