How do I setup multiple mount points that use different paths in the same consul for their storage?
2,432 views
Skip to first unread message
Mike Peck
Feb 8, 2019, 1:41:28 PM2/8/19
to Vault
I'm using the open-source vault (v0.10.1).
I currently have a secret engine defined in vault.hcl like this:
and it is used via the default mount point "secret/"
I now need to add a second mount point. I can't use the same "vaultha" path inside consul, which seems to be a problem?
How do I do that?
/sys/mounts/<mount point> seems like it's close, but it doesn't let me specify a different consul path (or the address show above)
Mike
mic...@hashicorp.com
Feb 11, 2019, 2:41:34 AM2/11/19
to Vault
Hi Mike,
the backend which you have defined in your configuration file is also known as the Storage Backend. This is the place where Vault stores all it's encrypted data and only one storage backend can be configured per Vault instance/cluster.
A Secret Engine is responsible for managing secrets and has no direct connection to the Storage Backend. Vault supports several secret engines which can be mounted multiple times with a unique mount point path.
If you want to enable another secret engine of type kv at another mount point, you have to run the following command:
vault secrets enable -version=2 -path=new-mount-point kvThis will mount a secret engine of type kv (v2) at the new-mount-point/ path.
You can verify that by running the following command:
$ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_ec4836c2 per-token private secret storage
identity/ identity identity_5896cf67 identity store
new-mount-point/ kv kv_2634873c n/a
secret/ kv kv_c5d54e80 key/value secret storage
sys/ system system_e07d1ea4 system endpoints used for control, policy and debugging
Cheers,
Michel
Reply all
Reply to author
Forward
0 new messages