# How to integrate Hashicorp Vault

Out-of-the-box, both PagerDuty Process Automation (PA) & Rundeck Community store all the keys and passwords in their own Key Storage using the database backend. Many customers prefer to use a central Key Storage server to access all keys and passwords from a single secure location. This avoids saving secrets in multiple locations and reduces the risk of key/password leaks.

This article will demonstrate how to integrate PA/Rundeck Community with the Hashicorp Vault plugin.

# Hashicorp Vault

Vault (opens new window) is an identity-based secret and encryption management system. A secret is anything that you want to tightly control access to, such as API encryption keys, passwords, or certificates. Vault provides encryption services that are gated by authentication and authorization methods. Using Vault’s UI, CLI, or HTTP API, access to secrets and other sensitive data can be securely stored and managed, tightly controlled (restricted), and auditable.

# Validate Vault server access.

Before integrating Vault with PA or Rundeck confirm the the Vault server is available and that you have access to configure it.

If you don’t already have Vault installed follow these steps:

  1. Download the Vault binary here (opens new window).
  2. Uncompress the file and save the executable in a specific location in this example is saved on /home/user/Programs/vault
  3. Start the server with ./vault server -dev command.
  4. Check the output, you can see the Vault server URL and use the token to access it.

    Checking the VAULT_ADDR URL in any browser you can see the Vault web interface. Use the Vault output’s Root Token to login.

For more Vault Setup instructions see their documentation here (opens new window).

# Preparing Vault Integration

Hashicorp recommends using AppRoles for authenticating and governing access for integrations such as this. The following steps assume this is a fresh installation of Vault. Feel free to adapt to your current installation as needed. To perform these steps you will need a working Vault CLI setup (opens new window) with root rights to configure the Vault installation.

  1. Enable Approle authentication method. vault auth enable approle
  2. Save the following text to a file called policy.hcl on the machine where the Vault CLI is run from.
    path "secret/data/rundeck-keys/*" {
    capabilities = ["create", "read", "update"]
    path "secret/metadata/rundeck-keys/*" {
    capabilities = ["read", "delete", "list"]
    path "secret/delete/rundeck-keys/*" {
    capabilities = ["update"]
    path "secret/rundeck-keys/*" {
    capabilities = ["create", "update", "delete", "read", "list"]

    This policy assumes all the keys will be stored in the default secret kV store whether it is version 1 or 2. If you have an existing path for keys you wish to use only replace the rundeck-keys part with the path you desire.

  3. Import this policy to Vault: vault policy write rundeck-policy ./policy.hcl
  4. Create a role for Rundeck
    vault write auth/approle/role/rundeck \
    secret_id_ttl=20m \
    token_num_uses=0 \
    token_ttl=20m \
    token_max_ttl=30m \
  5. Gather the role_id and secret_id for use when configuring in Rundeck: Role ID: vault read auth/approle/role/rundeck/role-id Secret ID: vault write -force auth/approle/role/rundeck/secret-id

# Configuring Vault with PA / Rundeck