Skip to main content

Configure a HashiCorp Vault Client Token

Aembit's Credential Provider for HashiCorp Vault (or just Vault) enables you to integrate Aembit with your Vault services.

This Credential Provider allows your Client Workloads to securely authenticate with Vault using OpenID Connect (OIDC) and obtain short-lived JSON Web Tokens (JWTs) for accessing Vault resources.

  • OIDC Issuer URL - OpenID Connect (OIDC) Issuer URL, auto-generated by Aembit, is a dedicated endpoint for OIDC authentication within HashiCorp Vault.

Accessing Vault on private networks​

By default, Aembit handles authentication through Aembit Cloud for Vaults accessible from the cloud.

For Vault instances on private networks, enable Private Network Access during configuration to allow your colocated Agent Proxy to handle authentication directly. Note that your Vault Server Workload must still be accessible from the network edge.

Click to see example

Private Network Access enabled

warning

When enabling Vault Private Network Access, you must use Agent Proxy v1.21.2670 or higher.

Configure a Vault Credential Provider​

To configure a Vault Credential Provider, follow these steps:

  1. Log in to your Aembit tenant, and in the left sidebar menu, go to Credential Providers.

  2. Click + New, which reveals the Credential Provider page.

  3. In the Credential Providers dialog window, enter the following information:

  4. Enter a Name and optional Description.

  5. In the Credential Type dropdown, select Vault Client Token, revealing new fields.

  6. In the JSON Web Token (JWT) section, enter a Vault-compatible Subject value.

    If you configured Vault Roles with bound_subject, the Subject value needs to match the bound_subject value exactly.

  7. Define any Custom Claims you may have by clicking + New Claim, and entering the Claim Name and Value for each custom claim you add.

  8. Enter the remaining details in the Vault Authentication section:

    • Host - Hostname of your Vault Server.

    • Port - The port to access the Vault service. Optionally, you may check the TLS checkbox to require TLS connections to your Vault service.

    • Authentication Path - The path to your OIDC authentication configuration in the Vault service.

    • Role - The access credential associated with the Vault Authentication Path.

    • Namespace - The environment namespace of the Vault service.

    • Forwarding Configuration - Specify how Aembit should forward requests between Vault clusters or servers.

      This setting ensures Aembit's request handling aligns with your Vault cluster's forwarding configuration. See Vault configuration parameters for more details about request forwarding in Vault.

      For more info, see the Vault configuration parameters in the official HashiCorp Vault docs.

    • Private Network Access - Check this if your Vault exists in a private network, or a network that's accessible only from your Edge deployment (for example, when Vault is behind a regional load-balancer). Otherwise, leave it unchecked for Vaults that are accessible from the cloud. See Accessing Vault on private networks.

      warning

      When enabling Vault Private Network Access, you must use Agent Proxy v1.21.2670 or higher.

    Credential Providers - Dialog Window Completed

  9. Click Save.

    Aembit displays your new Vault Credential Provider on the Credential Providers page.