Secrets - Hashicorp Vault


In this document, you’ll learn how to integrate existing Vault to Volterra Secrets Management and use a TLS Certificate for a Virtual Host stored as a secret in Vault.

Further details can be found here at External Secrets Management System under VES Concepts.



  • VES account.

  • Installation of Hashicorp Vault
  • A VirtualHost and a signed TLS certificate for your Virtual Host

    • Note: If you don't have an existing VirtualHost, please create one
  • Optionally, one or more cloud or edge locations with Volterra Site


  1. Login to Vault and create a secret or use an existing secret

    • Secret refers to the private key (TLS certificate)
  2. Create a new Vault authentication method to access the secret - AppRole Authentication, Token Authentication
  3. Configure ‘Secret Management’ on Volterra to fetch the Secret from Vault
  4. Discover and Advertise Vault - This involves the creation of virtual-host for Vault service - see "Create and Advertise a Virtual Host
  5. Configure Application's Virtual Host to obtain TLS certificate stored from Vault

Configuration Steps

The following shows the configuration workflow of Vault as an external secret management system.

Figure: Valut Configuration Workflow

Prepare Vault

Step 1: Configure authentication method in Vault.

Volterra supports vault authentication using either ‘approle’ or ‘token’. Users should make sure to have one of these configured in the vault. A sample configuration is shown below:

Figure: Approle Configuration

Sample approle configuration:

Figure: Sample Approle Configuration

Sample token configuration:

Figure: Sample Token Configuration

Step 2: Enable KV Secrets Engine from secrets configuration pane.

A sample configuration is shown below:

Figure: KV Secrets Engine Setting

Figure: Enable KV Secrets Engine

Step 3: Create a secret in the path created above.

The secret here is a TLS Certificate. Find a sample configuration below:

Figure: Secret Creation Setting
Figure: Create a Secret

Step 4: Create an ACL policy to enable permissions on the secret created above.

Figure: ACL Policy Creation

Step 5: Get the entity identifier.

Obtain the entityid from ‘Access’ section to be used later as `Roleid` in Volterra configuration

Figure: Obtaining Entity ID

Configure Vault for Secret Management in Volterra

Step 1: Start creating secret management access in VoltConsole.

Select ‘system’ namespace. From the configuration, menu select ‘Manage’ and select ‘Site Management’ and choose ‘Secret Management’ from the options pane. Provide a name for the credentials, select API Certificate for credential type and provide a password to access the credential.

Figure: Create Secret Management

Step 2: Set input name and provider name. ![](images/image13.png "Figure: Configure Secret Management")
Step 3: Configure access information.

Select Authentication Parameters from available options. In this scenario, it is "Vault Authentication Parameters”

Figure: Configure Authentication Parameters

Select a parameter for authentication. Supported options are "AppRole Authentication” and "Token Authentication”

Figure: Configure Authentication Parameters

Provide RoleID or Token. RoleID refers to Vault role_id. If user choose Token Authentication, secret info can be used to encrypt the token in one of the four encryption patterns supported by Volterra.

Figure: Role ID - AppRole Authentication

Figure: Token Authentication

Provide Secret ID. Refers to token or approle. Secret info can be used to encrypt the token in one of the four encryption patterns supported by Volterra.

Figure: Secret ID

Provide TLS details of Vault.

Figure: Vault - TLS

Figure: Vault - TLS

Discover and Advertise Vault

Vault can be externally hosted on Azure, AWS, or Private Cloud. Follow Create and Advertise a Virtual Host form How-To section. The two specific configuration aspects that are different from traditional Advertise Policy and Virtual Host required for Vault are mentioned below:

Step 1: Set the advertise policy network type.

Select "Network Type” as "Virtual_Network_VER_INTERNAL” while adding advertise policy.

Figure: Advertise Policy - Vault

Step 2: Set the proxy type for virtual host.

Select "Proxy Type” as "SMA_PROXY” while adding Virtual Host.

Figure: Virtual Host - Vault

Configure Application Virtual Host for Vault Access

This section shows a sample virtual host configuration with private key in TLS Parameters section obtained from external Vault.

We assume that an application virtual host has been created prior to starting this guide. Use Create and Advertise a Virtual Host as reference. Specific Virtual Host TLS Parameters configuration is explained below.

Step 1: Select TLS Parameters in Virtual Host.

Figure: Configuring TLS Parameters

Step 2: Configure TLS Parameters. ![](images/image4.png "Figure: Configuring TLS Parameters")
Step 3: Add TLS Certificate selecting TLS Certificates above.

Figure: Certificate URL - Base64 Encoded

Step 4: Configure the Private Key.
  • Secret Info
  • Vault Secret in this scenario
  • Provider
  • Refers to Secret Management object created in "Create Secret Management - Volterra” section step 1 above. Provider name here should be the same
  • Location
  • This is the path/location of secret in Vault
  • Key
  • Name of the Key in Vault
  • Version
  • Refers to Version of Key in Vault

Figure: Private Key Configuration


API References