Vault Anypoint Connector User Manual

Vault allows the encryption of properties in memory and the management of tokens for different services (Salesforce, EC2, etc..).

For more information, please visit the official site: https://www.vaultproject.io/

Vault Connector 2.0.0

The Vault Anypoint connector enables developers to handle secrets in the Vault platform on Mulesoft Anypoint Runtime.

MuleSoft maintains the Vault connector under the Certified support policy.

Prerequisites

This document assumes that you are familiar with Mule, Anypoint Connectors, and Anypoint Studio. To increase your familiarity with Studio, consider completing a Anypoint Studio Tutorial. This page requires some basic knowledge of Mule Concepts, Elements in a Mule Flow, and Global Elements.

A basic understanding of Vault platform is recommended. Vault documentation can be found here.

Hardware and Software Requirements

For hardware and software requirements, please visit the Hardware and Software Requirements page.

Compatibility

Application/Service	Version
Mule Runtime	3.8.X (all versions)
Java	1.7 and later

Application/Service

Version

Mule Runtime

3.8.X (all versions)

Java

1.7 and later

How to Install

You can install the connector in Anypoint Studio using the instructions in Installing a Connector from Anypoint Exchange.

How to Configure

To use the Vault connector in your Mule application, you must configure a global vault:config element that can be used by the Vault connector (read more about Global Elements). The Vault connector provides the following global configurations, requiring the following credentials:

Simple Connection Configuration

Field Description

Token

Enter the client token for authentication purposes.

Address

Remote location of your Vault server. Example: https://localhost:8200

Field	Description
Token	Enter the client token for authentication purposes.
Address	Remote location of your Vault server. Example: https://localhost:8200

SSL Connection Configuration

Field	Description
Token	Enter the client token for authentication purposes.
Address	Remote location of your Vault server. Example: https://localhost:8200
Trust Store Resource	Path to the TrustStore.jks file with the server certificate. The relative path can be used. Include the file in src/main/resources

Field

Description

Token

Enter the client token for authentication purposes.

Address

Remote location of your Vault server. Example: https://localhost:8200

Trust Store Resource

Path to the TrustStore.jks file with the server certificate. The relative path can be used. Include the file in src/main/resources

<connector>-config

In the Configuration XML view, find the global configuration for vault:vault-ssl-connection-config add the attribute verifySSL="false".

    <vault:vault-ssl-connection-config name="Vault__Vault_SSL_Connection_Config"      token="${vault.SSL-config.token}" address="${vault.SSL-config.address}" trustStoreResource="${vault.SSL-config.trustStoreFile}" verifySSL="false" doc:name="Vault: Vault SSL Connection Config"/>

In both cases, click Test Connection to ensure that your configuration is working properly.

Connector Namespace and Schema

When designing your application in Anypoint Studio, when you drag the connector from the palette onto the Anypoint Studio canvas, Studio automatically populates the XML code with the connector namespace and schema location.

<mule xmlns="http://www.mulesoft.org/schema/mule/core"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:connector="http://www.mulesoft.org/schema/mule/connector"
      xsi:schemaLocation="
               http://www.mulesoft.org/schema/mule/core
               http://www.mulesoft.org/schema/mule/core/current/mule.xsd
               http://www.mulesoft.org/schema/mule/vault
               http://www.mulesoft.org/schema/mule/vault/current/mule-vault.xsd">
       <!-- put your global configuration elements and flows here -->
</mule>

Maven Dependency Information

For Maven dependency management, include this XML snippet in your pom.xml file.

<dependency>
  <groupId>org.mule.modules</groupId>
  <artifactId>vault-connector</artifactId>
  <version>2.0.0</version>
</dependency>

Common Use Cases

Create a new Secret using a Key/Value Secrets Engine

The following walk through demonstrates how to create a new secret using the Vault Connector. In order to complete this example, you will need Postman or any cURL application.

Drag an HTTP Endpoint into a new flow. Configure a new HTTP Listener Configuration on Port 8081. In the properties view of the HTTP Endpoint configure the HTTP endpoint as follows:

Field

Value

Display Name

HTTP (or any other name you prefer)

Exchange Pattern

request-response

Path

/vault

Method

POST
Drag a Vault connector endpoint into the same flow. Select it to open the properties editor console. Next to Connector Configuration click the + sign to add a new connection configuration and add your credentials. Set the rest of the properties as follows:
Drag a Set Payload transformer and set value to #['Secret Written - OK'].
Run your project and open a cURL application such as Postman. Make a POST request containing the query parameters container and path. For example: http://localhost:8081/vault?container=vaultapp&path="my-secret". In the body of the POST request, add a JSON body containing the value of the new secret, such as:
```
{
  "value":"testing-secret"
}
```
Send the request. If the request is successful, the message set in the Set Payload transformer should be displayed.

Read a Secret from a Key/Value Secrets Engine

The following walk through demonstrates how to read a secret from a Vault using the Vault Connector.

Drag an HTTP Endpoint into a new flow. Configure a new HTTP Listener Configuration on Port 8081. In the properties view of the HTTP Endpoint configure the HTTP endpoint as follows:

Field

Value

Display Name

HTTP (or any other name you prefer)

Exchange Pattern

request-response

Path

/readvault

Method

GET
Drag a Vault connector endpoint into the same flow. Select it to open the properties editor console. Next to Connector Configuration click the + sign to add a new connection configuration and add your credentials. Set the rest of the properties as follows:
Drag an Object to JSON transformer.
Save the project and run it. In a browser, make a request containing the query parameters container and path. For example: http://localhost:8081/readvault?container=vaultapp&path="my-secret".
The value for the secret you requested should be displayed as JSON in your browser.

Resources

Visit the Vault Connector Release Notes page for the release notes of the connector.
Visit the Vault Connector API Reference page for the technical documentation of the connector.
Visit https://www.vaultproject.io page for information on Vault.
Learn how to Install and Configure Anypoint™ Connectors in Anypoint™ Studio here.
Access MuleSoft’s forum to pose questions and get help from Mule’s broad community of users.
To access MuleSoft’s expert support team, subscribe to Mule ESB Enterprise and log in to MuleSoft’s Customer Portal.
Contact the connector developers at Ricston