Obtaining key vault access credentials
The following describes how to obtain access credentials for Azure Key Vault, AWS Secrets Manager, and HashiCorp Key Vault. It comprises the following:
Secret engine accessibility check
In most cases, the secret engine will be on a private network. Please ensure that the Client GW can access the secret engine if they are not in the same network.
Environment Variables
Below is the complete list of environment variables to enable secrets engine in DDHub Client GW. Only one of its kind is needed depending on the vault of choice.
Common Environment Variables
SECRETS_ENGINE
String
vault
vault
aws
azure
Key Vault to be used to store secrets
None
SECRET_PREFIX
String
ddhub/
Prefix to identify DDHub secrets from other secrets
None
HashiCorp Environment Variables
VAULT_ENDPOINT
String
URL of the key vault service
SECRETS_ENGINE = vault
VAULT_TOKEN
String
Auth Token to be able to access endpoints of the key vault service
SECRETS_ENGINE = vault
Azure Key Vault Environment Variables
AZURE_VAULT_URL
String
Vault URI for the Azure key vault resource
SECRETS_ENGINE = azure
AZURE_CLIENT_ID
String
Client ID for Azure Service Principal with access to the key vault resource
SECRETS_ENGINE = azure
AZURE_CLIENT_SECRET
String
Client Secret key for Azure Service Principal with access to the key vault resource
SECRETS_ENGINE = azure
AZURE_TENANT_ID
String
Tenant ID for Azure Service Principal
SECRETS_ENGINE = azure
AWS Key Manager Environment Variables
AWS_REGION
String
Region for AWS Secrets Manager resource
SECRETS_ENGINE = aws
AWS_ACCESS_KEY_ID
String
Access Key ID of IAM user with access to the secret manager
SECRETS_ENGINE = aws
AWS_SECRET_ACCESS_KEY
String
Secret Access Key of IAM user with access to the secret manager
SECRETS_ENGINE = aws
Last updated