Using Vault

Overview

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing.

Vault is used by Genvid as a secure key-value store and a way of securing access to the key-value store for Genvid services.

Storing Custom Secrets

You can import custom secrets into Vault through the config/sample.json file that defines a project. The secrets structure is imported into Vault when the project is imported.

Here is an example of the secrets structure in stream.json:

{
  "secrets": {
    "disco": {"GENVID_DISCO_SECRET": "discosecret"},
    "webgateway": {"GENVID_WEBGATEWAY_SECRET": "webgatewaysecret"}
  }
}

The Vault key-value store translates it into the following keys:

secret/disco/GENVID_DISCO_SECRET="discosecret"
secret/webgateway/GENVID_WEBGATEWAY_SECRET="webgatewaysecret"

Checking Vault Process Statuses

You can use the command-line tools to check the Vault process status.

genvid-bastion status

This returns the Vault process status as either vault is not started or vault.exe running.

You can also check for the status of the Vault service from the Consul-UI web interface.

genvid-sdk open consul-ui

In the Services section, click the Vault service to display its health checks on the right side of the window.

If Vault Sealed Status is green if it’s unsealed and orange if it is sealed or unavailable. Click the name of any health check to get more information about the result.

If the Vault service is not available on the left side it means there was an issue with Vault setup and it couldn’t register with Consul.

Viewing Vault Data from the Command Line

While running a local environment, you can display Vault data from the command line after the environment is set up.

genvid-bastion env

The values you are interested in are VAULT_ADDR, VAULT_KEYS, and VAULT_TOKEN.

For the cloud environment, a future API will be provided to interract with vault.

For now, the http API GET /secrets/list can be used for secrets manipulation.