From 7cbd59b276712170ffade035fbfa9f5302e71dd6 Mon Sep 17 00:00:00 2001 From: patlo-iog Date: Wed, 7 Feb 2024 22:03:38 +0700 Subject: [PATCH] docs: update vault secret storage operation (#886) Signed-off-by: Pat Losoponkul Signed-off-by: Pete Vielhaber Co-authored-by: Pete Vielhaber --- .github/CODEOWNERS | 2 +- docs/docusaurus/secrets/operation.md | 44 ++++++++++++++++++---------- 2 files changed, 29 insertions(+), 17 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 41ad6dc7c3..290b547f9b 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -23,4 +23,4 @@ /tests/ @amagyar-iohk @yshyn-iohk @patlo-iog @mineme0110 # Docs: -/docs/ @davidpoltorak-io @yshyn-iohk @BS-IO +/docs/ @davidpoltorak-io @yshyn-iohk diff --git a/docs/docusaurus/secrets/operation.md b/docs/docusaurus/secrets/operation.md index 120883440e..62f6088b5c 100644 --- a/docs/docusaurus/secrets/operation.md +++ b/docs/docusaurus/secrets/operation.md @@ -10,21 +10,16 @@ allow the software to generate one automatically. However, in a production envir it is crucial for the system operators to explicitly supply the seed to the agent. This ensures full control over the DID key material and guarantees secure management of user identities. -The PRISM agent includes a development mode that conveniently bypasses certain checks during development or integration. -By default, the agent does not start in the development mode. -This behavior can be modified using the `DEV_MODE` environment variable, which accepts the value `true` or `false`. - -__Note that it is important to set `DEV_MODE=false` for the production instance.__ - PRISM agent uses the following environment variables for secret management. -| Name | Description | Default | -|-------------------------|--------------------------------------------------------------|-------------------------| -| `DEV_MODE` | Whether PRISM agent should start in development mode | `false` | -| `SECRET_STORAGE_BACKEND`| The storage backend that will be used for the secret storage | `vault` | -| `VAULT_TOKEN` | The token for accessing HashiCorp Vault | `root` | -| `VAULT_ADDR` | The address which PRISM agent can reach the Vault | `http://localhost:8200` | -| `DEFAULT_WALLET_SEED` | The seed used for DID key management for the default wallet | - | +| Name | Description | Default | +|--------------------------|-----------------------------------------------------------------|-------------------------| +| `SECRET_STORAGE_BACKEND` | The storage backend that will be used for the secret storage | `vault` | +| `VAULT_ADDR` | The address which PRISM Agent can reach the Vault | `http://localhost:8200` | +| `VAULT_TOKEN` | The token for accessing HashiCorp Vault | - | +| `VAULT_APPROLE_ROLE_ID` | The `role_id` for HashiCorp Vault authentication with AppRole | - | +| `VAULT_APPROLE_SECRET_ID`| The `secret_id` for HashiCorp Vault authentication with AppRole | - | +| `DEFAULT_WALLET_SEED` | The seed used for DID key management for the default wallet | - | ## Storage backend configuration @@ -32,14 +27,31 @@ Secret storage supports various backends like the Vault service or Postgres data By default, the backend chosen for secret storage is Vault, which is suitable for production environments. There are multiple supported backend implementations, each catering to specific use cases. -__HachiCorp Vault__ +__HashiCorp Vault__ When operating in a production environment, the agent has the option to utilize Vault as a secure secret storage backend. This choice is deemed suitable for production because all data is encrypted and it also offers additional security-related capabilities. By default, the agent uses this backend but the option is configurable. -To utilize this backend, set the `SECRET_STORAGE_BACKEND` variable to `vault` and -provide the `VAULT_TOKEN` and `VAULT_ADDR` environment variables. +To utilize this backend, set the `SECRET_STORAGE_BACKEND` variable to `vault`. +The agent expects to read and write secrets to the path `/secret/*`, +to ensure the provisioned permissions. + +Example Vault policy + +``` +path "secret/*" { + capabilities = ["create", "read", "update", "patch", "delete", "list"] +} +``` + +HashiCorp Vault provides multiple authentication methods. +One of the simplest methods is [token authentication](https://developer.hashicorp.com/vault/docs/auth/token). +To authenticate using the token, set the environment variable `VAULT_TOKEN`. +The agent prefers token authentication if provided with multiple authentication methods. + +Another method is [AppRole authentication](https://developer.hashicorp.com/vault/docs/auth/approle) which is suitable for automatic workflows. +To use AppRole authentication, set the environment variable `VAULT_APPROLE_ROLE_ID` and `VAULT_APPROLE_SECRET_ID`. __Postgres__