HashiCorp Vault Cypher Plugin

Hello,

I have started a HashiCorp Vault Cypher Plugin that supports both KV1 and KV2 vault secret engines. It is intended to extend upon the native vault integration that currently exists within Morpheus Cypher Core and provide extensible HashiCorp Vault secret engine support. Currently this plugin supports KV1 and KV2 engines but can be extended by the Community to support other engines within the future. The native Morpheus vault integration will only support KV2.

Please feel free to extend/add-to this plugin via public pull requests.

Update: 24/06/2022
HashiCorp Vault Cypher Plugin version 1.2.0 is designed to supersede the native vault integration and will use the “vault” mountpoint instead of “hashicorpVault”. Cypher — Morpheus Docs documentation will be updated with how to use the plugin. The plugin will also be made official on https://share.morpheusdata.com/

Update: 26/07/2022
The plugin has now merged into the official Morpheus HashiCorp Vault Plugin here: GitHub - gomorpheus/morpheus-vault-plugin: A Vault integration plugin for morpheus to offload credential storage to a remote secrets engine
The plugin JAR is now available for download here: Morpheus Marketplace
Documentation can be found on the repository README and the official Morpheus Docs. KV1 and KV2 engine support have been added to both Cypher and Credential integrations.

3 Likes

Awesome nice work @ctaylor :smiley:

Awesome @ctaylor

Here is how to save a secret into KV1:

1 Like

Update: 26/07/2022
The plugin has now merged into the official Morpheus HashiCorp Vault Plugin here: GitHub - gomorpheus/morpheus-vault-plugin: A Vault integration plugin for morpheus to offload credential storage to a remote secrets engine
The plugin JAR is now available for download here: Morpheus Marketplace
Documentation can be found on the repository README and the official Morpheus Docs. KV1 and KV2 engine support have been added to both Cypher and Credential integrations.

1 Like

New content has been added to docs, along with a YouTube demo, detailing these updates to the Vault plugin. Nice work @ctaylor !

2 Likes

Hello, I have a question about using the Vault on Cypher

Is this line for creating KV2 correct? because it failed and seems still requesting for v1 in the Morpheus log.
I’m also using a path that successfully used on the Trust → Credential menu

the line is:
vault/kv2/secret/morpheus-credentials/test-kv2

also screenshot:

Thank you

Hello, V1 in the log refers to the version of the API the plugin is using. V1 is the API version used for both KV1 and KV2 engines as can be seen here: morpheus-vault-plugin/AbstractVaultEngine.groovy at master · gomorpheus/morpheus-vault-plugin · GitHub.

I believe you should be using vault/kv2/secret/data/morpheus-credentials/test-kv2. You are missing /data/ from the path.

Thanks

1 Like

Hello, thank you for the help, it’s working when I add the /data/ path

Also, an extra question, does this only work 1 way? Because if I change the secret value from the vault UI, it didn’t sync the new value when I decrypt it from the Cypher menu, while the Trust menu is able to sync the new secret value.

Thanks

Hello

I think that is something we should look into. Currently, if you are referencing pre-existing HashiCorp cypher entries (that have not been added via Tools → Cypher) directly within your automation scripts then Morpheus will read any changes made within the vault UI. If you have created a new HashiCorp Cypher entry via Tools → Cypher, then changes made in the Vault backend are not reflected in Morpheus.

You could raise this as an issue on the plugin github repository if this behaviour is impacting your usage?

Hello

I’ve still on the assessment and finding the possible application using the vault plugin on Morpheus. but I raised the issue anyway on the github

Thanks