README
¶
Vault Secrets Plugin for CyberArk Central Credentials Provider
This repository contains the source code for a Vault plugin used to retrieve secrets from the CyberArk Enterprise Password Vault (EVP) using the CyberArk Central Credentials Provider (CCP).
Usage
Register
Vault requires that all plugins are stored in a predefined location and are registered with Vault. Designate a folder as the Vault plugin folder.
Copy the plugin to the Vault plugin folder, for every node in the Vault cluster.
Configure all Vault nodes in the cluster, to use the desginated plugin folder, as shown below, and (re)start Vault:
...
plugin_directory = "path/to/plugin/directory"
...
Generate the sha256 checksum for the plugin. Example using shasum:
shasum -a 256 bin/vault-plugin-secrets-ccp
...
909715453de17d70cc4944fe2451cf64f3945de9e9db14429503df347e6efcc5 bin/vault-plugin-secrets-ccp
Register the plugin
$ vault write vault write sys/plugins/catalog/ccp \
sha_256=<expected SHA256 Hex value of the plugin binary> \
command="vault-plugin-secrets-ccp"
...
Success! Data written to: sys/plugins/catalog/ccpsecrets
Mount
Enable the secrets plugin backend using the secrets enable command:
$ vault secrets enable ccp
...
Success! Enabled the ccp secrets engine at: ccp/
Configure
TBD
Retrieve secrets
TBD
Developing
If you wish to work on the plugin, you need to have Go installed on your system. You can then download any required build tools by bootstrapping your environment:
$ make bootstrap
To compile a development version of this plugin, run make or make dev.
This will put the plugin binary in the bin folders.
make dev will only generate the binary for your platform and is faster:
$ make
$ make dev
Put the plugin binary into a location of your choice. This folder
will be specified as the plugin_directory
in the Vault config used to start the server.
...
plugin_directory = "path/to/plugin/directory"
...
Start a Vault server with this config file:
$ vault server -config=path/to/config.json ...
...
Once the server is started, register the plugin in the Vault server's plugin catalog:
$ vault write vault write sys/plugins/catalog/ccp \
sha_256=<expected SHA256 Hex value of the plugin binary> \
command="vault-plugin-secrets-ccp"
...
Success! Data written to: sys/plugins/catalog/ccpsecrets
Note you should generate a new sha256 checksum if you have made changes to the plugin. Example using shasum:
shasum -a 256 bin/vault-plugin-secrets-ccp
...
909715453de17d70cc4944fe2451cf64f3945de9e9db14429503df347e6efcc5 bin/vault-plugin-secrets-ccp
Enable the secrets plugin backend using the secrets enable plugin command:
$ vault secrets enable ccp
...
Success! Enabled the ccp secrets engine at: ccp/
Documentation
Source Files
Directories