Get Started With Vault Service
Vault Service Setup
Task Roadmap
# | Task | Information |
---|---|---|
1 | Deploy your application to Cloud Foundry. | For an example of deploying a Predix Hello World Web application to cloud foundry, see t_Deploying_an_App_to_Cloud_Foundry.html#task_xwn_lvb_vx. |
2 | Create an instance of the Vault service. | For more information, see vault-service-get-started.html#task_9b940213-7d86-4ae5-9bdb-44399675a930. |
3 | Bind your application to the service instance. | To establish communication between your application and the platform service, you must bind the application to the service. See vault-service-get-started.html#task_0c97a8d8-4ca5-42c4-8a93-10e3657b283a. |
4 | (optionally) Create a service key for your instance. | This is an alternative procedure to retrieve Vault credentials if you do not bind an application to your Vault service instance. See vault-service-get-started.html#task_3bbe9bb0-ff26-409e-99ee-b362f139e3ca. |
5 | Start using the Vault service. | See Using Vault Service. |
Creating a Vault Service Instance
You can create an instance of Vault Service to securely store and manage access to tokens, passwords, API keys and other credentials.
Procedure
Results
What To Do Next
Using Command Line to Create a Vault Instance
Procedure
What To Do Next
Binding an Application to the Vault Service Instance
You must bind your application to your Vault instance to provision its connection details in the VCAP_SERVICES environment variable. Vault service creates a token when you bind your application to the Vault service instance.
About This Task
Cloud Foundry runtime uses VCAP_SERVICES environment variable to communicate with a deployed application about its environment. When you bind your application to the Vault service instance, by default a token is created with time to live (TTL) value of 32 days. You can use custom parameters to specify a different TTL for the token and to create a read-only token.
Procedure
Create a Service Key for Vault Service
You can optionally retrieve Vault credentials without binding an application to a Vault instance by creating a service key.
Procedure
(Optionally) You can specify custom parameters for the following:
- To specify the duration of the token for your Vault service instance.
- For a token with unlimited duration, use the following command:
cf create-service-key <vault_instance_name> <service-key-name> -c '{"token_type" : "perpetual"}'
- For token with specific TTL value, use the following command:
cf create-service-key <vault_instance_name> <service-key-name> -c '{"token_type" : "periodic", "token_ttl" : "<duration>"}'
- For a token with unlimited duration, use the following command:
- To add a read-only policy to the token. When you add a read-only policy, a user can read the token details but cannot create, update or delete the token. Use the following command:
cf create-service-key <vault_instance_name> <service-key-name> -c '{" token_read_only: true "}'