Enabling SaltStack Enterprise to use Vault for its Redis and database credentials requires the following steps:
- Configure SaltStack Enterprise to use environment variables for its credentials.
- Install and configure the Vaultenv tool.
- Insert Redis and database credentials into Vault.
- Create a vaultenv raas configuration file.
- Launch raas via the Vaultenv tool.
This document assumes you have HashiCorp’s Vault installed and running somewhere in your environment and are familiar with its operation. See www.vaultproject.io for more information.
Configure SaltStack Enterprise to use environment variables for its credentials
The Vaultenv tool launches programs with environment variables set to HashiCorp Vault secrets. The first step to enable this for SaltStack Enterprise is to edit the Raas configuration file so that it reads its SQL and Redis credentials from environment variables.
Use the following settings in
This causes SaltStack Enterprise to look for these values in the environment variables
Note: For SQL, all of the credential components are passed in a single string in the form:
Therefore, the following
sql settings will be redundant and should be deleted from
username: user # delete this line
password: password # delete this line
host: db_host # delete this line
port: 5432 # delete this line
Install and configure the vaultenv tool
Vaultenv binaries are available from github. To install the latest release at this writing, 0.13.1, run the following.
$ wget https://github.com/channable/vaultenv/releases/download/v0.13.1/vaultenv-0.13.1-linux-musl -O /usr/local/bin/vaultenv
$ chmod a+x /usr/local/bin/vaultenv
Vaultenv is configured via the
/etc/vaultenv.conf file. The file is optional as all of Vaultenv’s settings can be specified as command line arguments. Many settings are optional and have workable default values. Some however, such as
VAULT_TOKEN, need to be supplied; either on the command line or in the configuration file. See
vaultenv --help for a full list.
vaultenv.conf file might be as follows.
# Also: comments are allowed if they start with ‘#‘.
/etc/vaultenv.conf contains a token, it should be locked down, but must remain readable by the
One way of doing so is updating its group to
raas, and changing its access controls so that it is readable only by
root and the
raas group as follows.
$ chown root:raas /etc/vaultenv.conf
$ chmod 640 /etc/vaultenv.conf
Insert Redis and database credentials into Vault
Write the Redis and SQL credentials into Vault:
$ vault kv put secret/sse redis_url="redis://:firstname.lastname@example.org:6379"
$ vault kv patch secret/sse database_url="postgres://user:secret@localhost:5432/raas_db_name"
raas_db_name above the database name is
CUSTOMERID is the setting of
customer_id in the raas configuration file, hyphens removed. The default customer id is
43cab1f4-de60-4ab1-85b5-1d883c5c5d09, making the default raas database name
Create a Vaultenv raas configuration file
/var/lib/raas/ directory, create a file named
raas.secrets. This file tells Vaultenv which secrets to retrieve from Vault and which environment variables to put them in. In the sample file below,
database_url will be retrieved from the Vault where the secrets were stored earlier, using prefix
secret and path
sse, storing them in the
DATABASE_URL environment variables.
Launch SaltStack Enterprise via the Vaultenv tool
Configure the raas service to be started by Vaultenv with the proper environment variables set from Vault with the following steps:
Stop the raas service
$ systemctl stop raas
Create a service override file
$ systemctl edit raas
Add the following content to have raas start via Vaultenv:
ExecStart=/usr/local/bin/vaultenv --secrets-file /var/lib/raas/raas.secrets /usr/bin/raas
$ systemctl daemon-reload
$ systemctl start raas