Hashicorp Vault
Use Keeper Secrets Manager with HashiCorp Vault as a Data Source
Last updated
Was this helpful?
Use Keeper Secrets Manager with HashiCorp Vault as a Data Source
Last updated
Was this helpful?
The Keeper Secrets Manager HashiCorp Vault integration allows you to use secrets from the Keeper Vault as a data store for HashiCorp Vault.
Use Secrets from the Keeper Vault with HashiCorp Vault scripts and commands
Read secret information using HashiCorp Vault
Update secret information from HashiCorp Vault
This page documents the Secrets Manager HashiCorp Vault integration. In order to utilize this integration, you will need:
Secrets Manager add-on enabled for your Keeper subscription
Membership in a Role with the Secrets Manager enforcement policy enabled
The HashiCorp Vault integration accepts our Base64 format configurations
HashiCorp Vault command line, and a Vault server running
Download the latest integration release from the KSM GitHub page:
Look for a vault-plugin release in the list of releases that matched your platform.
Unzip the plugin and place it into your HashiCorp Vault plugins directory. In this example the folder is located at C:\vault\plugins (Windows) or /etc/vault/vault_plugins (MacOS/ Linux)
For testing the plugin or to allow quick development, development mode can be used to quickly get the HashiCorp Vault CLI up and running.
HashiCorp Vault CLI development mode utilizes volatile in-memory storage. Any actions taken on secrets in the Keeper Vault are immediate, but the plugin will need to be re-enabled each time the HashiCorp Vault is started in dev mode.
When ready to move to production, the plugin will need to be registered using a SHA256 hash of the plugin.
You will need a hash of the plugin file to enable it with production HashiCorp Vault servers. This hash can be generated for the Secrets Manager plugin.
Windows 7 and later comes with a built-in tool called CertUtil that can be used to generate the SHA256 hash. This example will show how to generate a SHA hash using CertUtil, but any tool that can generate a file hash in SHA256 will work.
Now that the HashiCorp Vault plugin is installed, a secure connection to the Keeper Vault needs to be established so that secret credentials can be accessed. To create this connection, a Secrets Manager configuration needs to be created and assigned to the plugin.
Once a configuration has been generated, set it to a variable to be used by the Vault Plugin.
The records will be shown in the following format:
Example:
Example:
Example:
To update an existing secret, use the following command, passing in JSON data that represents the updated secret's information. The corresponding record in the Keeper Vault will be updated to match the JSON data passed.
In this example, the updated data is passed in from a file, this is recommended for cleaner and more simple CLI commands. The JSON data can be passed in on the command line, but quotes will need to be escaped.
Example data file:
Similar to updating a secret, create a new secret by passing JSON data to the following command:
In this example, the updated data is passed in from a file, this is recommended for cleaner and more simple CLI commands. The JSON data can be passed in on the command line, but quotes will need to be escaped.
Example data file:
For a complete list of Keeper Secrets Manager features see the
Keeper Secrets Manager access (See the for more details)
A Keeper with secrets shared to it
See the for instructions on creating an Application
An initialized Keeper
See the for how to install
A Secrets Manager configuration can be created using Keeper Commander or the Secrets Manager CLI. See the for more information on creating a configuration.
