HashiCorp Vault Cypher Plugin

ctaylor · June 23, 2022, 3:32pm

Hello,

I have started a HashiCorp Vault Cypher Plugin that supports both KV1 and KV2 vault secret engines. It is intended to extend upon the native vault integration that currently exists within Morpheus Cypher Core and provide extensible HashiCorp Vault secret engine support. Currently this plugin supports KV1 and KV2 engines but can be extended by the Community to support other engines within the future. The native Morpheus vault integration will only support KV2.

Please feel free to extend/add-to this plugin via public pull requests.

Update: 24/06/2022
HashiCorp Vault Cypher Plugin version 1.2.0 is designed to supersede the native vault integration and will use the “vault” mountpoint instead of “hashicorpVault”. Cypher — Morpheus Docs documentation will be updated with how to use the plugin. The plugin will also be made official on https://share.morpheusdata.com/

Update: 26/07/2022
The plugin has now merged into the official Morpheus HashiCorp Vault Plugin here: GitHub - gomorpheus/morpheus-vault-plugin: A Vault integration plugin for morpheus to offload credential storage to a remote secrets engine
The plugin JAR is now available for download here: Morpheus Marketplace
Documentation can be found on the repository README and the official Morpheus Docs. KV1 and KV2 engine support have been added to both Cypher and Credential integrations.

alipscombe · June 23, 2022, 3:51pm

Awesome nice work @ctaylor

aharker · June 23, 2022, 3:57pm

Awesome @ctaylor

ctaylor · June 23, 2022, 4:07pm

Here is how to save a secret into KV1:

ctaylor · July 26, 2022, 10:13am

Update: 26/07/2022
The plugin has now merged into the official Morpheus HashiCorp Vault Plugin here: GitHub - gomorpheus/morpheus-vault-plugin: A Vault integration plugin for morpheus to offload credential storage to a remote secrets engine
The plugin JAR is now available for download here: Morpheus Marketplace
Documentation can be found on the repository README and the official Morpheus Docs. KV1 and KV2 engine support have been added to both Cypher and Credential integrations.

aharker · July 26, 2022, 3:39pm

New content has been added to docs, along with a YouTube demo, detailing these updates to the Vault plugin. Nice work @ctaylor !

Richard_Manoi · September 9, 2022, 3:41am

Hello, I have a question about using the Vault on Cypher

Is this line for creating KV2 correct? because it failed and seems still requesting for v1 in the Morpheus log.
I’m also using a path that successfully used on the Trust → Credential menu

the line is:
vault/kv2/secret/morpheus-credentials/test-kv2

also screenshot:

Thank you

ctaylor · September 9, 2022, 8:07am

Hello, V1 in the log refers to the version of the API the plugin is using. V1 is the API version used for both KV1 and KV2 engines as can be seen here: morpheus-vault-plugin/AbstractVaultEngine.groovy at master · gomorpheus/morpheus-vault-plugin · GitHub.

I believe you should be using vault/kv2/secret/data/morpheus-credentials/test-kv2. You are missing /data/ from the path.

Thanks

Richard_Manoi · September 12, 2022, 5:02am

Hello, thank you for the help, it’s working when I add the /data/ path

Also, an extra question, does this only work 1 way? Because if I change the secret value from the vault UI, it didn’t sync the new value when I decrypt it from the Cypher menu, while the Trust menu is able to sync the new secret value.

Thanks

ctaylor · September 12, 2022, 12:29pm

Hello

I think that is something we should look into. Currently, if you are referencing pre-existing HashiCorp cypher entries (that have not been added via Tools → Cypher) directly within your automation scripts then Morpheus will read any changes made within the vault UI. If you have created a new HashiCorp Cypher entry via Tools → Cypher, then changes made in the Vault backend are not reflected in Morpheus.

You could raise this as an issue on the plugin github repository if this behaviour is impacting your usage?

Richard_Manoi · September 13, 2022, 5:03am

Hello

I’ve still on the assessment and finding the possible application using the vault plugin on Morpheus. but I raised the issue anyway on the github

Thanks

ctaylor · April 11, 2023, 10:33am

Hello @Richard_Manoi apologies for the late update on this community post. As you may have already seen, the issue you faced with reading values (updated in the backend) was fixed late last year in version 1.3.0

Topic		Replies	Views
Creating a custom Task Plugin that can access secrets from Cypher and HashiCorp Vault Plugins automation , cypher , plugins , tasks	0	342	October 11, 2023
Morpheus CyberArk Conjur Cypher & Trust Plugin Plugins cypher , credentials	4	533	May 28, 2024
Use Hashicorp Vault? Call Vault-stored values into your Automation Tasks! Automation/IaC automation , cypher	0	318	May 6, 2022
Cypher Plugin - Failed to create cypher Plugins cypher	6	374	June 21, 2022
Cypher / Credentials in Multi Tenant Setup Secrets Management cypher , credential-store , credentials	0	90	March 27, 2024

HashiCorp Vault Cypher Plugin

Related topics