The ./conf/bootstrap-hashicorp-vault.conf file that comes with Apache NiFi is a convenient way to configure this controller service in a manner consistent with the HashiCorpVault sensitive properties provider. Since this file is already used for configuring the Vault client for protecting sensitive properties in the NiFi configuration files (see the Administrator's Guide), it's a natural starting point for configuring the controller service as well.
An example configuration of this properties file is as follows:
# HTTP or HTTPS URI for HashiCorp Vault is required to enable the Sensitive Properties Provider
# Optional file supports authentication properties described in the Spring Vault Environment Configuration
# All authentication properties must be included in bootstrap-hashicorp-vault.conf when this property is not specified.
# Properties in bootstrap-hashicorp-vault.conf take precedence when the same values are defined in both files.
# Token Authentication is the default when the 'vault.authentication' property is not specified.
# Optional Timeout properties
# Optional TLS properties
In order to use this file in the StandardHashiCorpVaultClientService, specify the following properties:
If your bootstrap configuration includes the vault.authentication.properties.file containing additional authentication properties, this file will also need to be added to the Vault Properties Files property as a comma-separated value.
However, if you want to specify or override properties directly in the controller service, you may do this by specifying a Configuration Strategy of 'Direct Properties'. This can be useful if you are reusing an SSLContextService or want to parameterize the Vault configuration properties. Authentication-related properties can also be added as sensitive dynamic properties, as seen in the examples below.
Under the hood, the controller service uses Spring Vault, and directly supports the property keys specified in Spring Vault's documentation. Following are some common examples of authentication with Vault.
The simplest authentication scheme uses a rotating token, which is enabled by default in Vault. To specify this mechanism, select "TOKEN" from the "Vault Authentication" property (the default). However, since the token should rotate by nature, it is a best practice to use the 'Properties Files' Configuration Strategy, and keep the token value in an external properties file, indicating this filename in the 'Vault Properties Files' property. Then an external process can rotate the token in the file without updating NiFi configuration. In order to pick up the changed token, the controller service must be disabled and re-enabled.
For testing purposes, however, it may be more convenient to specify the token directly in the controller service. To do so, add a new Sensitive property named 'vault.token' and enter the token as the value.
Certificate authentication must be enabled in the Vault server before it can be used from NiFi, but it uses the same TLS settings as the actual client connection, so no additional authentication properties are required. While these TLS settings can be provided in an external properties file, we will demonstrate configuring an SSLContextService instead.
First, create an SSLContextService controller service and configure the Filename, Password, and Type for both the Keystore and Truststore. Enable it, and assign it as the SSL Context Service in the Vault controller service. Then, simply specify "CERT" as the "Vault Authentication" property value.
To configure the other authentication methods, see the Spring Vault documentation linked above. All relevant properties should be added either to the external properties files referenced in the "Vault Properties Files" property if using the 'Properties Files' Configuration Strategy, or added as custom properties with the same name if using the 'Direct Properties' Configuration Strategy. For example, for the Azure authentication mechanism, properties will have to be added for 'vault.azure-msi.azure-path', 'vault.azure-msi.role', and 'vault.azure-msi.identity-token-service'.