How to integrate Vault

Errors or typos? Topics missing? Hard to read? Let us know.

Vault is compatible with MAAS version 3.3 and above. Please upgrade if you’re using an older version.

To ensure seamless integration between MAAS and Vault, you’ll first need to obtain a role_id and wrapped_token through Vault’s CLI. For detailed guidance, check Hashicorp Vault’s tutorial^.

Here’s an illustrative example on how to set up this integration using the vault CLI:

  1. Enable the approle engine
$ vault auth list

If approle/ isn’t mounted, enable it:

$ vault auth enable approle
  1. Confirm or mount the KV v2 engine
$ vault secrets enable -path $SECRETS_MOUNT kv-v2
  1. Create a suitable policy
path "$SECRETS_MOUNT/metadata/$SECRETS_PATH/" {
	capabilities = ["list"]

path "$SECRETS_MOUNT/metadata/$SECRETS_PATH/*" {
	capabilities = ["read", "update", "delete", "list"]

path "$SECRETS_MOUNT/data/${SECRETS_PATH}/*" {
	capabilities = ["read", "create", "update", "delete"]
  1. Apply the policy in Vault
$ vault policy write $MAAS_POLICY $POLICY_FILE
  1. Associate each MAAS region controller with the policy
$ vault write auth/approle/role/$ROLE_NAME \
policies=$MAAS_POLICY token_ttl=5m

Fetch the role ID:

$ vault read auth/approle/role/$ROLE_NAME/role-id
  1. Generate a secret ID for each role
$ vault write -wrap-ttl=5m auth/approle/role/$ROLE_NAME/secret-id

Post-setup, you can integrate MAAS with Vault using:

sudo maas config-vault configure $URL $APPROLE_ID $WRAPPED_TOKEN $SECRETS_PATH --mount $SECRET_MOUNT

Complete the integration by migrating the secrets:

$ sudo maas config-vault migrate

This guide provides you with a structured approach to get your MAAS-Vault integration up and running. Happy integrating!

Might be a dumb question but, why would you need Vault for MAAS?

I got my 1st controller configured for Vault

Vault successfully configured for the region!
Once all regions in cluster are configured, use the following command to migrate secrets:

sudo maas config-vault migrate

Running the maas config-vault configure on the 2nd controller gives me the following error:

administrator@controller2:~$ sudo maas config-vault configure $URL $APPROLE_ID $(vault write -f -wrap-ttl=5m -format=json auth/approle/role/controller2/secret-id | jq -r .wrap_info.token) $SECRETS_PATH --mount $SECRET_MOUNT --yes
usage: maas [-h] COMMAND ...

  -h, --help      show this help message and exit

drill down:
    login         Log in to a remote API, and remember its description and credentials.
    logout        Log out of a remote API, purging any stored credentials.
    list          List remote APIs that have been logged-in to.
    refresh       Refresh the API descriptions of all profiles.
    init          Initialise MAAS in the specified run mode.
    config        View or change controller configuration.
    status        Status of controller services.
    migrate       Perform migrations on connected database.
    apikey        Used to manage a user's API keys. Shows existing keys unless --generate or --delete is passed.
    configauth    Configure external authentication.
    config-tls    Configure MAAS Region TLS.
    config-vault  Configure MAAS Region Vault integration.
    createadmin   Create a MAAS administrator account.
                  Change a MAAS user's password.
                  Interact with https://controller1/MAAS/api/2.0/

connection to server at "localhost" (, port 5432 failed: Connection refused
        Is the server running on that host and accepting TCP/IP connections?

Why is the controller trying to connect to the local port 5432?