HashiCorp Vault

Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using HashiCorp Vault. This integration fetches credentials. For more information, see Managing Credentials .

This integration was integrated and tested with version 0.11.5 of HashiCorp Vault.

Configure HashiCorp Vault on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for HashiCorp Vault.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • HashiCorps server URL (e.g., https://192.168.0.1:8200 )
    • Username
    • Authentication token
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Fetches credentials - If set, the integration will fetch credentials from Vault to Demisto.
    • CSV list of secrets engine types to fetch secrets from
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. List all secrets engines: hashicorp-list-secrets-engines
  2. List secrets for a KV V2 engine: hashicorp-list-secrets
  3. Get information for a secret: hashicorp-get-secret-metadata
  4. Delete data for a secret: hashicorp-delete-secret
  5. Undelete (restore) a secret: hashicorp-undelete-secret
  6. Permanently delete a secret: hashicorp-destroy-secret
  7. Disable a secrets engine: hashicorp-disable-engine
  8. Enable a new secrets engine: hashicorp-enable-engine
  9. List all configured policies: hashicorp-list-policies
  10. Get information for a policy: hashicorp-get-policy
  11. Seal a vault: hashicorp-seal-vault
  12. Unseal a vault: hashicorp-unseal-vault
  13. Configure a secrets engine: hashicorp-configure-engine
  14. Reset the engines configuration: hashicorp-reset-configuration
  15. Create a new authentication token: hashicorp-create-token

1. List all secrets engines


List all secrets engines that exist in HashiCorp Vault.

Base Command

hashicorp-list-secrets-engines

Input

There are no input arguments for this command.

Context Output
Path Type Description
HashiCorp.Engine.Type string Secrets engine type
HashiCorp.Engine.Path string Secrets engine path in HashiCorp
HashiCorp.Engine.Description string Secrets engine description
HashiCorp.Engine.Accessor string Secrets engine accessor

Command Example
!hashicorp-list-secrets-engines
Context Example
{
    "HashiCorp": {
        "Engine": [
            {
                "Accessor": "transit_b0c1c4aa",
                "Path": "transit/",
                "Type": "transit"
            },
            {
                "Accessor": "identity_adef7422",
                "Description": "identity store",
                "Path": "identity/",
                "Type": "identity"
            },
            {
                "Accessor": "aws_32f92054",
                "Path": "aws/",
                "Type": "aws"
            },
            {
                "Accessor": "kv_7d59edbc",
                "Path": "kv/",
                "Type": "kv"
            },
            {
                "Accessor": "database_04257645",
                "Path": "database/",
                "Type": "database"
            },
            {
                "Accessor": "kv_bef123ed",
                "Path": "test_1545739691984 /",
                "Type": "kv"
            },
            {
                "Accessor": "kv_80cff632",
                "Path": "kv2/",
                "Type": "kv"
            },
            {
                "Accessor": "kv_9078f614",
                "Path": "test_1545739444652 /",
                "Type": "kv"
            },
            {
                "Accessor": "system_324bc58d",
                "Description": "system endpoints used for control, policy and debugging",
                "Path": "sys/",
                "Type": "system"
            },
            {
                "Accessor": "kv_871d4cd3",
                "Description": "key/value secret storage",
                "Path": "secret/",
                "Type": "kv"
            },
            {
                "Accessor": "kv_5c21978b",
                "Description": "hmm",
                "Path": "shtut/",
                "Type": "kv"
            },
            {
                "Accessor": "ssh_6048cf80",
                "Path": "ssh/",
                "Type": "ssh"
            },
            {
                "Accessor": "cubbyhole_6094de88",
                "Description": "per-token private secret storage",
                "Path": "cubbyhole/",
                "Type": "cubbyhole"
            },
            {
                "Accessor": "totp_f0eb21f3",
                "Path": "totp/",
                "Type": "totp"
            },
            {
                "Accessor": "azure_0216cdab",
                "Path": "azure/",
                "Type": "azure"
            },
            {
                "Accessor": "kv_86acaa5f",
                "Path": "test_1545739510810 /",
                "Type": "kv"
            }
        ]
    }
}
Human Readable Output

image

2. List secrets for a KV V2 engine


List secrets (names) for a specified KV engine.

Base Command

hashicorp-list-secrets

Input
Argument Name Description Required
engine Engine path, e.g.,"secret/". Use the list-secrets-engines command to retrieve the engine path. command. Required
version The version of the KV engine. Optional

Context Output
Path Type Description
HashiCorp.Secret.Path string Secret path

Command Example
!hashicorp-list-secrets engine=secret/ version=2
Context Example
{
    "HashiCorp": {
        "Secret": [
            {
                "Path": "key2"
            },
            {
                "Path": "test_secret"
            }
        ]
    }
}
Human Readable Output

image

3. Get information for a secret


Returns information about a specified secret in a specified KV V2 engine.

Base Command

hashicorp-get-secret-metadata

Input
Argument Name Description Required
engine_path KV Engine path, e.g., "kv/" Required
secret_path Secret path, e.g., "secret" Required

Context Output
Path Type Description
HashiCorp.Secret.Created date Secret created time
HashiCorp.Secret.Version.Destroyed boolean Is the version destroyed
HashiCorp.Secret.Version.Created number Version creation time
HashiCorp.Secret.Version.Deleted date Version deletion time
HashiCorp.Secret.Updated date Secret last updated time
HashiCorp.Secret.Engine string Secret engine type
HashiCorp.Secret.CurrentVersion number Secret current version
HashiCorp.Secret.Path string Secret path

Command Example
!hashicorp-get-secret-metadata engine_path=secret/ secret_path=test_secret
Context Example
{
    "HashiCorp": {
        "Secret": {
            "Created": "2018-12-23T13:36:43.441882322Z",
            "CurrentVersion": 2,
            "Engine": "secret/",
            "Path": "test_secret",
            "Updated": "2018-12-24T11:50:52.803923598Z",
            "Version": [
                {
                    "Created": "2018-12-23T13:36:43.441882322Z",
                    "Deleted": "",
                    "Destroyed": true,
                    "Number": "1"
                },
                {
                    "Created": "2018-12-24T11:50:52.803923598Z",
                    "Deleted": "",
                    "Destroyed": false,
                    "Number": "2"
                }
            ]
        }
    }
}
Human Readable Output

image

4. Delete data for a secret


Deletes the data under a specified secret given the secret path. Performs a soft delete that allows you to run the hashicorp-undelete-secret command if necessary (for KV V2 engine).

Base Command

hashicorp-delete-secret

Input
Argument Name Description Required
secret_path Secret path, e.g., "secret" Required
engine_path Engine path, e.g.,"secret/" Required
versions CSV list of secret versions to delete Required

Context Output

There is no context output for this command.

Command Example
!hashicorp-delete-secret engine_path=secret/ secret_path=test_secret versions=2
Human Readable Output

image

5. Undelete (restore) a secret


Undeletes (restores) a secret on HashiCorp (for KV V2 engine).

Base Command

hashicorp-undelete-secret

Input
Argument Name Description Required
secret_path Secret path, e.g., "secret" Required
engine_path Engine path, e.g.,"secret/" Required
versions CSV list of secret versions to undelete (restore) Required

Context Output

There is no context output for this command.

Command Example
!hashicorp-undelete-secret engine_path=secret/ secret_path=test_secret versions=2
Human Readable Output

image

6. Permanently delete a secret


Permanently deletes a secret (for KV V2 engine).

Base Command

hashicorp-destroy-secret

Input
Argument Name Description Required
secret_path Secret path, .e.g., "secret" Required
engine_path Engine path, e.g.,"secret/" Required
versions CSV list of secret versions to permanently delete Required

Context Output

There is no context output for this command.

Command Example
!hashicorp-destroy-secret engine_path=secret/ secret_path=test_secret versions=1
Human Readable Output

image

7. Disable a secrets engine


When a secrets engine is no longer needed, it can be disabled. All secrets under the engine are revoked and the corresponding vault data and configurations are removed.

Base Command

hashicorp-disable-engine

Input
Argument Name Description Required
path Path of the secrets engine to disable Required

Context Output

There is no context output for this command.

Command Example
!hashicorp-disable-engine path=engine/
Human Readable Output

image

8. Enable a new secrets engine


Enables a new secrets engine at the specified path.

Base Command

hashicorp-enable-engine

Input
Argument Name Description Required
path The path where the secrets engine will be mounted. Required
type Type of backend. For example, "aws" Required
description Human-friendly description of the mount. Optional
default_lease_ttl The default lease duration, specified as a string duration.
For example, "5s" or "30m"
Optional
max_lease_ttl The maximum lease duration, specified as a string duration.
For example, "5s" or "30m"
Optional
force_no_cache Disable caching Optional
audit_non_hmac_request_keys CSV list of keys that will not be HMAC'd by audit devices in the request data object. Optional
audit_non_hmac_response_keys CSV list of keys that will not be HMAC'd by audit devices in the response data object. Optional
listing_visibility Whether to show this mount in the UI-specific listing endpoint; "unauth" or "hidden", default is "hidden" Default is hidden. Optional
passthrough_request_headers CSV list of headers to whitelist and pass from the request to the backend. Optional
kv_version KV version to mount. Set to "2" for mount KV V2. Optional
local Specifies if the secrets engine is a local mount only. Local mounts are not replicated, nor (if a secondary) removed by replication. Supported only in Vault Enterprise. Optional
seal_wrap Enable seal wrapping for the mount. Supported only in Vault Enterprise. Optional

Context Output

There is no context output for this command.

Command Example
!hashicorp-enable-engine path=test_path type=kv description="this is a test"
Human Readable Output

image

9. List all configured policies


Lists all configured policies.

Base Command

hashicorp-list-policies

Input

There are no input arguments for this command.

Context Output
Path Type Description
HashiCorp.Policy.Name string Policy name

Command Example
!hashicorp-list-policies
Context Example
{
    "HashiCorp": {
        "Policy": [
            {
                "Name": "default"
            },
            {
                "Name": "root"
            }
        ]
    }
}
Human Readable Output

image

10. Get information for a policy


Get information for a policy.

Base Command

hashicorp-get-policy

Input
Argument Name Description Required
name Policy name Required

Context Output
Path Type Description
HashiCorp.Policy.Name string Policy name
HashiCorp.Policy.Rule.Path string Policy rule path
HashiCorp.Policy.Rule.Capabilities unknown Policy rule capabilities

Command Example
!hashicorp-get-policy name=default
Context Example
{
    "HashiCorp": {
        "Policy": {
            "Name": "default",
            "Rule": [
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "sys/control-group/request"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "auth/token/renew-self"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "sys/tools/hash"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "auth/token/revoke-self"
                },
                {
                    "Capabilities": [
                        "read"
                    ],
                    "Path": "sys/internal/ui/resultant-acl"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "sys/wrapping/lookup"
                },
                {
                    "Capabilities": [
                        "read"
                    ],
                    "Path": "auth/token/lookup-self"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "sys/leases/renew"
                },
                {
                    "Capabilities": [
                        "read",
                        "list",
                        "delete"
                    ],
                    "Path": "secret/delete/*"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "sys/renew"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "sys/tools/random/*"
                },
                {
                    "Capabilities": [
                        "read",
                        "delete"
                    ],
                    "Path": "secret"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "sys/capabilities-self"
                },
                {
                    "Capabilities": [
                        "create",
                        "read",
                        "update",
                        "delete",
                        "list"
                    ],
                    "Path": "cubbyhole/*"
                },
                {
                    "Capabilities": [
                        "read",
                        "list"
                    ],
                    "Path": "sys/policies"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "sys/leases/lookup"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "sys/tools/hash/*"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "sys/wrapping/wrap"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "sys/tools/random"
                },
                {
                    "Capabilities": [
                        "read"
                    ],
                    "Path": "sys/mounts"
                },
                {
                    "Capabilities": [
                        "update"
                    ],
                    "Path": "sys/wrapping/unwrap"
                },
                {
                    "Capabilities": [
                        "read",
                        "list"
                    ],
                    "Path": "sys/policy"
                },
                {
                    "Capabilities": [
                        "read",
                        "list"
                    ],
                    "Path": "sys/policy/*"
                },
                {
                    "Capabilities": [
                        "read",
                        "list"
                    ],
                    "Path": "sys/policies/*"
                },
                {
                    "Capabilities": [
                        "read",
                        "delete"
                    ],
                    "Path": "secret/*"
                }
            ]
        }
    }
}
Human Readable Output

image

11. Seal a vault


If you suspect your data has been compromised, you can seal your vault to prevent access to your secrets.

Base Command

hashicorp-seal-vault

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example
!hashicorp-seal-vault
Human Readable Output

image

12. Unseal a vault


Use a single master key share to unseal the vault. If the master key shares threshold is met, vault will attempt to unseal the vault. Otherwise, this API must be called until the threshold is met.

Base Command

hashicorp-unseal-vault

Input
Argument Name Description Required
key Single master key Optional
reset Reset the unseal project Optional

Context Output

There is no context output for this command.

Command Example
!hashicorp-unseal-vault key=ABCD
Human Readable Output

image
image
image

13. Configure a secrets engine


Configure a secrets engine to fetch secrets from.

Base Command

hashicorp-configure-engine

Input
Argument Name Description Required
path The engine path, e.g., "secret/" Required
type The engine type, e.g., "KV" Required
version The engine version (for KV engines); "1" or "2" Optional

Context Output

There is no context output for this command.

Command Example
!hashicorp-configure-engine path=secret/ type=KV version=2
Human Readable Output

image

14. Reset an engines configuration


Reset the engines configuration.

Base Command

hashicorp-reset-configuration

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example
!hashicorp-reset-configuration
Human Readable Output

image

15. Create a new authentication token


Creates a new authentication token.

Base Command

hashicorp-create-token

Input
Argument Name Description Required
role_name The name of the token role. Optional
policies CSV list of policies for the token. This must be a subset of the policies belonging to the token making the request, unless root. If policies are not specified, all policies of the calling token are applied to the new token. Optional
meta A map of string-to-string valued metadata. This is passed through to the audit devices. Optional
no_parent If true and set by a root caller, the token will not have the parent token of the caller. This creates a token with no parent. Optional
no_default_policy If true the default policy will not be included in this token's policy set; "true" or "false" Optional
renewable If set to false, the token cannot be renewed past its initial TTL. If set to true, the token can be renewed up to the system/mount maximum TTL. "true" or "false" Optional
ttl The TTL (lease duration) period of the token, provided as "10m" or "1h", where hour is the largest suffix. If not provided, the token is valid for the default lease TTL, or indefinitely if the root policy is used. Optional
explicit_max_ttl If set, the token will have an explicit max TTL applied to it. The maximum token TTL cannot be changed later, and unlike with normal tokens, updates to the system/mount max TTL value will have no effect at renewal time. The token can never be renewed or used past the value set at issue time. Optional
display_name The display name of the token. Optional
num_uses The maximum number of times the token can be used. Supply this argument to create a one-time-token, or limited use token. The value of 0 has no limit to the number of uses. Optional
period If specified, the token will be periodic; it will not have a maximum TTL (unless an "explicit-max-ttl" is also set), but every renewal will use the given period. Requires a root/sudo token to use. Optional

Context Output
Path Type Description
HashiCorp.Auth.Token string Authentication token
HashiCorp.Auth.Policy unknown Authentication policies
HashiCorp.Auth.LeaseDuration number Authentication lease duration in seconds, 0 if indefinitely

Command Example
!hashicorp-create-token display_name=test_token policies=default ttl=40m
Context Example
{
    "HashiCorp": {
        "Auth": {
            "LeaseDuration": 2400,
            "Policy": [
                "default"
            ],
            "Token": "84naQ9M9UsbvPdjD72eDD9Ya"
        }
    }
}
Human Readable Output

image

Additional Information

In order to fetch credentials from HashiCorp Vault, the relevant secrets engines must be configured with the integration so it can pull the data from them. To configure an engine with the integration, use the configure-engine command.

Known Limitations

Currently the integration is able to fetch credentials from the following engines:
K/V Versions 1,2
Cubbyhole

More engines will be supported in the future.

The following commands are limited to the K/V V2 engine:

  1. hashicorp-list-secrets
  2. hashicorp-get-secret-metadata
  3. hashicorp-delete-secret
  4. hashicorp-undelete-secret
  5. hashicorp-destroy-secret

Troubleshooting

If you receive an 404 Not Found error, please make sure you specified the correct engine and secret paths. If you receive a permissions error, make sure your user is authorized to the relevant policies in HashiCorp Vault. For example, in order to view the list of secrets engines, permissions to the following path are required:

path "sys/mounts" {
    capabilities = ["read"]
}

To view all relevant paths please refer to the Vault documentation .