Dynamic Secrets

Configuring Dynamic Secrets with Hashicorp Vault Proxy

Prerequsites

Create dynamic secret producer according to the documentation here.

Configuring Hashicorp Vault Proxy

  1. Set akeyless-vault url in: VAULT_ADDR environment variable:
export VAULT_ADDR=https://hvp.akeyless.io
  1. Now, you'll need to configure the authentication token that would be used by Vault CLI to fetch secrets from Akeyless Vault.
    Set your Akeyless token in ~/.vault-token
    Supported tokens:
    (a) Permanent token in the following structure: Access-ID+”..”+Access-Key, in example:
p-XXXXX..XXXXXXXXXXX

(b) Akeyless temporary API token read more here (this is the recommended and the more secure method). For token rotation please read more here.

Get dynamic secret with Vault CLI

vault read {producer-type}/creds/{full/path/to/producer-name}

Supported producer types:

"*"
"db"           
"mysql"
"mssql"
"mongodb"
"rdp"
"rabbitmq"
"chef"
"aws"

Example:

vault read */creds/prod/ds-db1
vault read db/creds/prod/ds-db1
vault read mysql/creds/prod/ds-db1

Key                Value
---                -----
lease_id           */creds/prod/ds-db1/vTyDFRr5m01gVaNBYsokIRop
lease_duration     768h
lease_renewable    true
password           of6B6IY/~+i$$Z80
username           tmp.rnnds.hOKbRAqI5j

vault read */creds/my-aws-producer
vault read aws/creds/my-aws-producer

Key                  Value
---                  -----
lease_id             */creds/my-aws-producer/25F5E8gupyoi2dQIynoM9nff
lease_duration       768h
lease_renewable      true
access_key_id        AKIA6IR7NIGBGGDIWW7I
secret_access_key    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
username             tmp.JJRXoSsvDuj1Dp

Working with static secrets

Create/update secret

Create a new static secret in Akeyless vault, if already exists, then it will add a new version for that secret.

Usage:
vault kv put secret/{secret-name} {my-key}={my-value}

Get secret

Will retrieve the value from Akeyless Vault.

vault kv get secret/{secret-name}

👍

Info

An optional flag: -version to get a specific version of the secret for example:

vault kv get -version=3 secret/{secret-name}

Default value is the latest version.

Delete secret

To delete a secret from Akeyless vault

vault kv delete secret/{secret-name}

👍

Info

An optional flag: -versions , a list of specific versions you would like to delete from Akeyless vault , for example:

vault kv delete -versions=2,6,15 secret/{secret-name}

If no version is sent all your secret versions will be deleted as well