Friday, 25 September 2020

Core Components of Vault

 

Storage Backends

Storage Backends represents the location where Vaults store the information.

 

Syntax

storage [NAME] {

  [PARAMETERS...]

}

 

Example

storage "file" {

  path = "/mnt/vault/data"

}

 

Right now Vault supports following storage backends.

a.   Azure

b.   Cassandra

c.    CockroachDB

d.   Consul

e.   CouchDB

f.     DynamoDB

g.   Etcd

h.   Filesystem

i.     FoundationDB

j.     Google Cloud Spanner

k.    Google Cloud Storage

l.     In-Memory

m. Manta

n.   MSSQL

o.   MySQL

p.   OCI Object Storage

q.   PostgreSQL

r.     Raft

s.    S3

t.     Swift

u.   Zookeeper

 

Secrets Engines

These are the components which store, generate or encrypt data. Depending on your requirement, you can enable one or more secrets engines.

 

Following are the different secrets engines supported by Vault.

a.   Active Directory

b.   AliCloud

c.    AWS

d.   Azure

e.   Consul

f.     Cubbyhole

g.   Databases

h.   Google Cloud

i.     Google Cloud KMS

j.     KMIP ENTERPRISE

k.    Key/Value

l.     Identity

m. MongoDB Atlas

n.   Nomad

o.   OpenLDAP

p.   PKI (Certificates)

q.   RabbitMQ

r.     SSH

s.    TOTP

t.     Transform ENTERPRISE

u.   Transit

v.    Venafi (Certificates)

 

Authentication Methods

Auth methods are the components in Vault that perform authentication and are responsible for assigning identity and a set of policies to a user.

 

Depending on your use case, you can enable multiple authentication methods.

 

Following different authentication methods supported by Vault.

 

a.   AppRole

b.   AliCloud

c.    AWS

d.   Azure

e.   Cloud Foundry

f.     GitHub

g.   Google Cloud

h.   JWT/OIDC

i.     Kerberos

j.     Kubernetes

k.    LDAP

l.     Oracle Cloud Infrastructure

m. Okta

n.   RADIUS

o.   TLS Certificates

p.   Tokens

q.   Username & Password

 

Audit Devices

This component responsible to log all the requests and responses to Vault. Multiple audit devices can be enabled and Vault will send the audit logs to both.

 

Each line in Audit log is a JSON Object. Responses are hashed with a salt using HMAC-SHA256. The purpose of the hash is, so that secrets aren't in plaintext within your audit logs.

 

Following Audit devices supported by Vault.

a.   File

b.   Syslog

c.    Socket

 

Vault Paths

Paths are used with the API or read, write, delete commands in order to interact with Vault. Path informs Vault, which Vault component a request should route.

 

Permissions or Policies are granted based on path.

 

Example

vault secrets enable -path=secret/ kv

 

Above statement enable kv secret engine at path secret/kv.

Previous                                                    Next                                                    Home
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)