HashiCorp Vault

This article walks you through the steps required to integrate HashiCorp Vault with Hyperscience.

Configure HashiCorp Vault

To configure the HashiCorp Vault integration, follow the steps below:

  1. In Vault, create a new authentication token for Hyperscience by following the steps in Vault’s token create documentation. Apply the appropriate token configuration as per your organization's policies.

  2. In the config.hcl file, map any secrets to be retrieved to the appropriate environment variable. See the “Configure config.hcl” section below for more information.

  3. In the “.env” file, set VAULT_ADDR and VAULT_TOKEN to their appropriate values. If your Vault deployment requires TLS, configure the following additional environment variables:

    • VAULT_CACERT

    • VAULT_CAPATH

    • VAULT_CLIENT_CERT

    • VAULT_CLIENT_KEY

      • To learn more about Vault’s environment variables, see HashiCorp’s

    Environment variable

  4. Confirm that the tool works outside of Hyperscience.

  5. In the “.env” file, add the following variables and values:

    HS_SECRETS_MANAGER=vault
    VAULT_ADDR=http://vault.example.com:8200
    VAULT_TOKEN=
  6. Restart the Hyperscience application with the following commands. Make sure that the commands work as expected. 

    sudo bash run.sh init
    sudo bash run.sh --restart --clean
  7. Rotate the secrets and restart the application with the above commands again. Make sure that the Hyperscience application starts successfully upon restart.

Configure config.hcl

The config.hcl file defines a format for mapping an environment variable to a location where a secret is stored.

{path = "hs"
no_prefix = true}

In the example above, path instructs the application to read all key/value pairs under the hs prefix in Vault and return the key/value pairs as environment variables to Hyperscience. To learn more about the config.hcl file, see HashiCorp’s Configuration File guide.