Cloudera Docs

External vault requirements

You can learn about how to configure an external HashiCorp Vault for CDP Private Cloud Data Services. Hashicorp Vault securely stores your passwords, tokens, certificates, and encryption keys.

Vault Token Policy

CDP Private Cloud Data Services can be installed using an internal or external Vault. If you are installing CDP Private Cloud Data Services with an external Vault, a Vault token with the following permissions is required.

  • Create/Update/List/Read a secret engine of type kv-2 at the applicable path.
  • Create/Update/List/Read auth of type kubernetes at the applicable path.
  • Create/Update/List/Read policies.
  • Access to List and Read the Vault token details.

Example Vault policy: 

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["create", "read", "update", "list"]
}
# Create, update auth methods
path "sys/auth/*"
{
  capabilities = ["create", "update", "sudo"]
}
 
# List auth methods
path "sys/auth"
{
  capabilities = ["read"]
}
 
# List existing policies
path "sys/policies/acl"
{
  capabilities = ["list"]
}
 
# Create and manage ACL policies via API & UI
path "sys/policies/acl/*"
{
  capabilities = ["create", "read", "update", "list"]
}
 
 
# Manage secrets engines
path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "list"]
}
 
# List existing secrets engines.
path "sys/mounts"
{
  capabilities = ["read"]
}

For more information, see HashiCorp Vault Policy Requirements.

Vault Token Use

The Vault token should be created using the preceding policy. It is recommended that the Vault administrator delete this token after the installation is complete.

External Vault Installation Parameters

  • Vault Address – The external Vault FQDN (Fully Qualified Domain Name) with the port number.
  • Token – The Vault token described above
  • CA Certificate – A valid certificate for the Vault server in PEM format.

Vault Secrets Engine, Auth, and Policies

During installation, CDP enables a kv-v2 secrets engine and kubernetes authentication at unique paths in the following format: 

cloudera-[***CONTROL PLANE NAMESPACE***]-[***SERVER-URL***]

It is recommended that you do not have any kv-v2 secrets and kubernetes auth enabled at the same path in your Vault server.

CDP also creates Vault policies that provide access to control plane services to write their protected data. These two policies have the following format: 

[***NAMESPACE***]-[***SERVER URL***] 
admin-[***NAMESPACE***]-[***SERVER URL***]