The config-vault command is used to integrate HashiCorp Vault for secure secrets management. This integration enhances security by storing sensitive information, such as credentials and keys, outside the MAAS database in a dedicated secrets management system.
Key functions
-
Configuration: Sets up the connection between MAAS and Vault by specifying parameters like the Vault URL, AppRole ID, wrapped token, secrets path, and mount point.
-
Migration: Transfers existing secrets from the MAAS database to Vault, ensuring they are securely stored.
Integration steps
-
Prepare Vault
- Enable the
approleauthentication method and KV secrets engine in Vault. - Create a policy granting MAAS the necessary permissions.
- Generate a role ID and a wrapped secret ID for MAAS authentication.
- Enable the
-
Configure MAAS
- On each region controller, run:
Replace the placeholders with your Vault details.sudo maas config-vault configure $URL $APPROLE_ID $WRAPPED_TOKEN $SECRETS_PATH --secrets-mount $SECRET_MOUNT
- On each region controller, run:
-
Migrate secrets
- After configuring all region controllers, execute on one:
This moves secrets from the MAAS database to Vault.sudo maas config-vault migrate
- After configuring all region controllers, execute on one:
Benefits of integration
-
Enhanced Security: Secrets are stored in Vault’s encrypted storage, reducing exposure.
-
Centralized Management: Consolidates secret storage, simplifying audits and compliance.
-
Access Control: Utilizes Vault’s robust policies to control access to secrets.
Integrating MAAS with HashiCorp Vault using the config-vault command ensures that sensitive information is securely managed, aligning with best practices for infrastructure security.