steampipe plugin install theapsgroup/vault

Hashicorp Vault + Turbot Steampipe

Vault is an industry-leading Secrets Management & Data Protection solution from Hashicorp.

Steampipe is an open source CLI for querying cloud APIs using SQL from Turbot

Getting Started

Installation

Download and install the latest Vault plugin:

steampipe plugin install theapsgroup/vault

Prerequisites

  • Vault Server
  • Vault API Token

Configuration

The preferred option is to use Environment Variables for configuration as the Vault Token should be rotated frequently, however you can configure in the ~./steampipe/config/vault.spc (this will take precedence).

Environment Variables (default from Hashicorp Vault):

  • VAULT_ADDR for the server address (ex: https://vault.mycorp.com/)
  • VAULT_TOKEN for the API token (ex: s.f7Ea3C3ojOYE0GRLzmhSGNkE)

Configuration File:

connection "vault" {
plugin = "theapsgroup/vault"
address = "https://vault.mycorp.com/"
auth_type = "token"
token = "s.f7Ea3C3ojOYE0GRLzmhSGNkE"
}

Authentication

Vault supports multiple authentication backends, currently token and AWS IAM are supported. Note that in line with the Vault cli behavior, if a vault token is supplied, that will be used instead of your configured authentication method.

Token
connection "vault" {
plugin = "theapsgroup/vault"
address = "https://vault.mycorp.com/"
auth_type = "token"
token = "sometoken"
}
AWS
connection "vault" {
plugin = "theapsgroup/vault"
address = "https://vault.mycorp.com/"
auth_type = "aws"
aws_role = "steampipe-test-role"
aws_provider = "aws"
}

aws_role is the name of the role as configured in the vault AWS authentication backend.

aws_provider is the name of the access engine in vault

The vault plugin will resolve the AWS credentials in the normal AWS SDK Credentials chain order.

Testing

A quick test can be performed from your terminal with:

steampipe query "select * from vault_engine"

Tables

The following tables are available for querying, follow the links for more information.