1.0 Introduction
This article describes the steps needed to effectively integrate Fortanix Key Insight’s on-premises scanning capabilities with HashiCorp Vault.
HashiCorp Vault provides a centralized system for managing secrets and encrypting keys. By integrating it with Fortanix Key Insight, you can leverage Vault’s secure storage and management capabilities while benefiting from Key Insight’s advanced scanning and monitoring features.
2.0 Prerequisites
Before starting the integration, ensure you have:
Fortanix Key Insight Account: Access to Fortanix Key Insight with appropriate permissions.
HashiCorp Vault Installation: An operational instance of HashiCorp Vault, either installed on-premises or managed by HashiCorp.
Administrative Privileges: Access to administrative interfaces for both Fortanix Key Insight and HashiCorp Vault.
3.0 Install and Configure On-premises Scanner
For information on how to install and configure an on-premises scanner, refer to On-premises Connection Scanning Configuration.
4.0 Integrate On-premises Scanner with HashiCorp Vault
If you utilize HashiCorp Vault for managing credentials, you should use the vault-agent to retrieve credentials from the Vault and inject them as environment variables into the fortanix-scanner.
In this integration, the vault-agent must be configured to execute the fortanix-scanner, as outlined in Vault Agent's Process Supervisor Mode.
Refer to the following code sample to configure the vault-agent:
auto_auth {
method {
...
}
}
template_config {
static_secret_render_interval = "..."
exit_on_retry_failure = true
max_connections_per_host = 10
}
vault {
address = "https://<vault uri>"
}
env_template "ARMOR_API_KEY_1" {
contents = "{{ with secret \"path/to/secret1\" }}{{
.Data.data.apikey }}{{ end }}"
error_on_missing_key = true
}
env_template "ARMOR_API_KEY_2" {
contents = "{{ with secret \"path/to/secret2\" }}{{
.Data.data.apikey }}{{ end }}"
error_on_missing_key = true
}
env_template "DB1_USERNAME" {
contents = "{{ with secret \"path/to/db1/cred\" }}{{ .Data.username }}{{ end }}"
error_on_missing_key = true
}
env_template "DB1_PASSWORD" {
contents = "{{ with secret \"path/to/db1/cred\" }}{{ .Data.password }}{{ end }}"
error_on_missing_key = true
}
env_template "DB2_USERNAME" {
contents = "{{ with secret \"path/to/db2/cred\" }}{{ .Data.username }}{{ end }}"
error_on_missing_key = true
}
env_template "DB2_PASSWORD" {
contents = "{{ with secret \"path/to/db2/cred\" }}{{ .Data.password }}{{ end }}"
error_on_missing_key = true
}
env_template "DB_CLIENT_ID" {
contents = "{{ with secret \"path/to/db3/cred\" }}{{ .Data.client_id }}{{ end }}"
error_on_missing_key = true
}
env_template "DB_CLIENT_SECRET" {
contents = "{{ with secret \"path/to/db3/cred\" }}{{ .Data.client_secret }}{{ end }}"
error_on_missing_key = true
}
env_template "DB_TENANT_ID" {
contents = "{{ with secret \"path/to/db3/cred\" }}{{ .Data.tenant_id }}{{ end }}"
error_on_missing_key = true
}
env_template "REPO1_USERNAME" {
contents = "{{ with secret \"path/to/repo1/cred\" }}{{ .Data.username }}{{ end }}"
error_on_missing_key = true
}
env_template "REPO1_PASSWORD" {
contents = "{{ with secret \"path/to/repo1/cred\" }}{{ .Data.password }}{{ end }}"
error_on_missing_key = true
}
env_template "REPO2_USERNAME" {
contents = "{{ with secret \"path/to/repo2/cred\" }}{{ .Data.username }}{{ end }}"
error_on_missing_key = true
}
env_template "REPO2_PASSWORD" {
contents = "{{ with secret \"path/to/repo2/cred\" }}{{ .Data.password }}{{ end }}"
error_on_missing_key = true
}
env_template "REPO3_USERNAME" {
contents = "{{ with secret \"path/to/repo3/cred\" }}{{ .Data.username }}{{ end }}"
error_on_missing_key = true
}
env_template "REPO3_PASSWORD" {
contents = "{{ with secret \"path/to/repo3/cred\" }}{{ .Data.password }}{{ end }}"
error_on_missing_key = true
}
env_template "DSM_APP_AUTH_CERT" {
contents = "{{ with secret "pki/issue/dsm-app-role" "common_name=<common-name>" }}{{ .Data.certificate }}{{ end }}"
error_on_missing_key = true
}
env_template "DSM_APP_AUTH_KEY" {
contents = "{{ with secret "pki/issue/dsm-app-role" "common_name=<common-name>" }}{{ .Data.private_key }}{{ end }}"
error_on_missing_key = true
}
exec {
command = ["/path/to/fortanix-scanner", "start", "-c", "/path/to/fortanix-scanner-config.yaml"]
restart_on_secret_changes = "always"
restart_stop_signal = "SIGTERM"
}During the integration, the
vault-agentwill read and inject secrets specified in theenv_templateblocks as environment variables into the child process defined in theexecblock, with the namefortanix-scanner. These environment variables will be accessible only to thefortanix-scanner.The
vault-agentwill wait until all environment templates are rendered before starting the child process.The
vault-agentwill refresh the environment variables whenever it detects an update to the injected secrets. Thefortanix-scannershould ensure it reads all configured environment variables before initiating a scan to obtain the latest credentials.The
vault-agentwill terminate when thefortanix-scannerstops running. It is your responsibility to detect this and restart thevault-agentif needed.
6.0 Verify Scanner Operation
After the integration, perform the following steps to verify the scanner operation:
Ensure the scanner is configured to fetch and use environment variables before starting a scan.
Run a test scan on the command line to verify that the
fortanix-scannercorrectly picks up the environment variables set by thevault-agent.Add an on-premises scanner on the Fortanix Key Insight user interface (UI). For more information, refer to Getting Started with On-premises Connection.
After the scanner is added and the resources have been successfully scanned, the new on-premises connection will be added to the ON-PREMISES tab on the Fortanix Key Insight user interface (UI) Connections page.
After you complete the configuration and scan your on-premises resources, you can view the discovery and assessment results in the Fortanix Key Insight dashboard.
For more information on the Key Insight on-premises Overview page and its features, refer to On-premises Connection - User Interface Components.