Offline docs (switch to live docs)                        

How to integrate Vault

Errors or typos? Topics missing? Hard to read? Let us know.

Vault is compatible with MAAS version 3.3 and above. Please upgrade if you’re using an older version.

To ensure seamless integration between MAAS and Vault, you’ll first need to obtain a role_id and wrapped_token through Vault’s CLI. For detailed guidance, check Hashicorp Vault’s tutorial^.

Here’s an illustrative example on how to set up this integration using the vault CLI:

  1. Enable the approle engine
$ vault auth list

If approle/ isn’t mounted, enable it:

$ vault auth enable approle
  1. Confirm or mount the KV v2 engine
$ vault secrets enable -path $SECRETS_MOUNT kv-v2
  1. Create a suitable policy
path "$SECRETS_MOUNT/metadata/$SECRETS_PATH/" {
          capabilities = ["list"]
      }

      path "$SECRETS_MOUNT/metadata/$SECRETS_PATH/*" {
          capabilities = ["read", "update", "delete", "list"]
      }

      path "$SECRETS_MOUNT/data/${SECRETS_PATH}/*" {
          capabilities = ["read", "create", "update", "delete"]
      }
  1. Apply the policy in Vault
$ vault policy write $MAAS_POLICY $POLICY_FILE
  1. Associate each MAAS region controller with the policy
$ vault write auth/approle/role/$ROLE_NAME \
      policies=$MAAS_POLICY token_ttl=5m

Fetch the role ID:

$ vault read auth/approle/role/$ROLE_NAME/role-id
  1. Generate a secret ID for each role
$ vault write -wrap-ttl=5m auth/approle/role/$ROLE_NAME/secret-id

Post-setup, you can integrate MAAS with Vault using:

sudo maas config-vault configure $URL $APPROLE_ID $WRAPPED_TOKEN $SECRETS_PATH --mount $SECRET_MOUNT

Complete the integration by migrating the secrets:

$ sudo maas config-vault migrate

This guide provides you with a structured approach to get your MAAS-Vault integration up and running. Happy integrating!