Errors or typos? Topics missing? Hard to read? Let us know.
Vault is compatible with MAAS version 3.3 and above. Please upgrade if you’re using an older version.
To ensure seamless integration between MAAS and Vault, you’ll first need to obtain a role_id
and wrapped_token
through Vault’s CLI. For detailed guidance, check Hashicorp Vault’s tutorial^.
Here’s an illustrative example on how to set up this integration using the vault
CLI:
- Enable the
approle
engine
$ vault auth list
If approle/
isn’t mounted, enable it:
$ vault auth enable approle
- Confirm or mount the KV v2 engine
$ vault secrets enable -path $SECRETS_MOUNT kv-v2
- Create a suitable policy
path "$SECRETS_MOUNT/metadata/$SECRETS_PATH/" {
capabilities = ["list"]
}
path "$SECRETS_MOUNT/metadata/$SECRETS_PATH/*" {
capabilities = ["read", "update", "delete", "list"]
}
path "$SECRETS_MOUNT/data/${SECRETS_PATH}/*" {
capabilities = ["read", "create", "update", "delete"]
}
- Apply the policy in Vault
$ vault policy write $MAAS_POLICY $POLICY_FILE
- Associate each MAAS region controller with the policy
$ vault write auth/approle/role/$ROLE_NAME \
policies=$MAAS_POLICY token_ttl=5m
Fetch the role ID:
$ vault read auth/approle/role/$ROLE_NAME/role-id
- Generate a secret ID for each role
$ vault write -wrap-ttl=5m auth/approle/role/$ROLE_NAME/secret-id
Post-setup, you can integrate MAAS with Vault using:
sudo maas config-vault configure $URL $APPROLE_ID $WRAPPED_TOKEN $SECRETS_PATH --mount $SECRET_MOUNT
Complete the integration by migrating the secrets:
$ sudo maas config-vault migrate
This guide provides you with a structured approach to get your MAAS-Vault integration up and running. Happy integrating!