Docs Menu
Docs Home
/ /

HashiCorp Vault for Snapshot Store Credentials

You can store the AWS credentials for an S3-compatible snapshot store in the Ops Manager application database or in HashiCorp Vault. When you store credentials in a key vault, Ops Manager fetches them from HashiCorp Vault on demand. On-demand retrieval helps you centralize, rotate, and audit sensitive credentials.

Ops Manager supports HashiCorp Vault and local credential storage. You choose which method to use for each S3-compatible snapshot store.

Ops Manager supports two credential storage locations for an S3-compatible snapshot store:

Storage Location
Description

AppDB

Ops Manager stores the AWS access key and secret key in the Ops Manager application database. AppDB is the default method and doesn't require HashiCorp Vault.

Key Vault

Ops Manager reads the AWS access key and secret key from HashiCorp Vault on demand. Ops Manager stores only the path to each secret, not the secret value.

Use a key vault when your security or audit requirements call for a centralized secret manager. Use AppDB when you do not use HashiCorp Vault.

To use HashiCorp Vault for S3-compatible snapshot store credentials, you must complete two configuration tasks:

  1. Create a key vault configuration that stores the connection and authentication details for your HashiCorp Vault server. To learn how, see Configure a Key Vault for Snapshot Stores.

  2. Configure an S3-compatible snapshot store to use the key vault. You specify the key vault, the path to the AWS access key, and the path to the AWS secret key. Ops Manager reads the credentials from the key vault and passes them to AWS S3. To learn how, see Add One S3-Compatible Snapshot Store.

Ops Manager authenticates to HashiCorp Vault with either a token or a JWT. Ops Manager then reads the AWS access key and secret key from the secret paths that you specify for the snapshot store. You provide each path in the form <secret-path>/<key>.

Ops Manager reads the AWS access key and secret key from HashiCorp Vault and caches them in memory. Ops Manager doesn't store these credentials in the Ops Manager application database.

By default, Ops Manager refreshes a cached credential every five minutes. To change this interval, set the mms.keyVault.secret.cacheSoftTtlMs property.

If HashiCorp Vault is unavailable when Ops Manager refreshes a cached credential, Ops Manager keeps using the last known credential and logs the event, so existing backups continue. If no cached credential exists and Ops Manager can't reach HashiCorp Vault, the operation that needs the credential fails.

Important

Ops Manager doesn't have an alert specifically for HashiCorp Vault availability. If Vault becomes unreachable and no cached credential remains, the resulting backup failures trigger the same backup alerts that apply to any failed backup job. Configure backup alerts to receive them. To learn how, see Configure Alert Settings.

When Ops Manager validates an S3-compatible snapshot store that uses a key vault and S3 returns a 401 or 403 error, Ops Manager refreshes the credentials from HashiCorp Vault once, then retries. If the retry also fails, Ops Manager returns an error and the validation fails.

Ops Manager protects your HashiCorp Vault authentication details as follows:

  • Ops Manager encrypts the Vault authentication secret at rest with the gen.key file, the same method that Ops Manager uses for other integrations.

  • Ops Manager redacts the Vault authentication secret and any custom certificate in API responses and in the Ops Manager console. Ops Manager returns [REDACTED] instead of the stored value.

To use HashiCorp Vault for S3-compatible snapshot store credentials, you need:

  • A reachable HashiCorp Vault deployment.

  • Vault policies, roles, and secret paths that grant Ops Manager read-only access to the AWS credentials.

  • Secure, reliable network connectivity between Ops Manager, the Backup Daemon, and HashiCorp Vault.

To switch an existing S3-compatible snapshot store from local credentials to HashiCorp Vault:

  1. Create a key vault configuration, as described in Configure a Key Vault for Snapshot Stores.

  2. Edit the S3-compatible snapshot store and set its credential storage location to the key vault, as described in Edit One Existing S3-Compatible Snapshot Store.

Back

S3 Compatible

On this page