Vault allows the encryption of properties in memory and the management of tokens for different services (Salesforce, EC2, etc..).

For more information, please visit the official site: https://www.vaultproject.io/

Vault Connector 2.0.0

The Vault Anypoint connector enables developers to handle secrets in the Vault platform on Mulesoft Anypoint Runtime.

MuleSoft maintains the Vault connector under the Certified support policy.

Prerequisites

This document assumes that you are familiar with Mule, Anypoint Connectors, and Anypoint Studio. To increase your familiarity with Studio, consider completing a Anypoint Studio Tutorial. This page requires some basic knowledge of Mule Concepts, Elements in a Mule Flow, and Global Elements.

A basic understanding of Vault platform is recommended. Vault documentation can be found here.

Hardware and Software Requirements

For hardware and software requirements, please visit the Hardware and Software Requirements page.

Compatibility

Application/Service Version

Mule Runtime

3.8.X (all versions)

Java

1.7 and later

How to Install

You can install the connector in Anypoint Studio using the instructions in Installing a Connector from Anypoint Exchange.

How to Configure

To use the Vault connector in your Mule application, you must configure a global vault:config element that can be used by the Vault connector (read more about Global Elements). The Vault connector provides the following global configurations, requiring the following credentials:

  1. Simple Connection Configuration

    Field Description

    Token

    Enter the client token for authentication purposes.

    Address

    Remote location of your Vault server. Example: https://localhost:8200

    <connector>-config
  2. SSL Connection Configuration

    Field Description

    Token

    Enter the client token for authentication purposes.

    Address

    Remote location of your Vault server. Example: https://localhost:8200

    Trust Store Resource

    Path to the TrustStore.jks file with the server certificate. The relative path can be used. Include the file in src/main/resources

    <connector>-config

    In the Configuration XML view, find the global configuration for vault:vault-ssl-connection-config add the attribute verifySSL="false".

    <vault:vault-ssl-connection-config name="Vault__Vault_SSL_Connection_Config"      token="${vault.SSL-config.token}" address="${vault.SSL-config.address}" trustStoreResource="${vault.SSL-config.trustStoreFile}" verifySSL="false" doc:name="Vault: Vault SSL Connection Config"/>

In both cases, click Test Connection to ensure that your configuration is working properly.

Connector Namespace and Schema

When designing your application in Anypoint Studio, when you drag the connector from the palette onto the Anypoint Studio canvas, Studio automatically populates the XML code with the connector namespace and schema location.

<mule xmlns="http://www.mulesoft.org/schema/mule/core"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:connector="http://www.mulesoft.org/schema/mule/connector"
      xsi:schemaLocation="
               http://www.mulesoft.org/schema/mule/core
               http://www.mulesoft.org/schema/mule/core/current/mule.xsd
               http://www.mulesoft.org/schema/mule/vault
               http://www.mulesoft.org/schema/mule/vault/current/mule-vault.xsd">
       <!-- put your global configuration elements and flows here -->
</mule>

Maven Dependency Information

For Maven dependency management, include this XML snippet in your pom.xml file.

<dependency>
  <groupId>org.mule.modules</groupId>
  <artifactId>vault-connector</artifactId>
  <version>2.0.0</version>
</dependency>

Common Use Cases

Create a new Secret using a Key/Value Secrets Engine

The following walk through demonstrates how to create a new secret using the Vault Connector. In order to complete this example, you will need Postman or any cURL application.

usecase 01
  1. Drag an HTTP Endpoint into a new flow. Configure a new HTTP Listener Configuration on Port 8081. In the properties view of the HTTP Endpoint configure the HTTP endpoint as follows:

    Field

    Value

    Display Name

    HTTP (or any other name you prefer)

    Exchange Pattern

    request-response

    Path

    /vault

    Method

    POST

  2. Drag a Vault connector endpoint into the same flow. Select it to open the properties editor console. Next to Connector Configuration click the + sign to add a new connection configuration and add your credentials. Set the rest of the properties as follows:

    usecase 02
  3. Drag a Set Payload transformer and set value to #['Secret Written - OK'].

  4. Run your project and open a cURL application such as Postman. Make a POST request containing the query parameters container and path. For example: http://localhost:8081/vault?container=vaultapp&path="my-secret". In the body of the POST request, add a JSON body containing the value of the new secret, such as:

    {
      "value":"testing-secret"
    }
  5. Send the request. If the request is successful, the message set in the Set Payload transformer should be displayed.

Read a Secret from a Key/Value Secrets Engine

The following walk through demonstrates how to read a secret from a Vault using the Vault Connector.

usecase 03
  1. Drag an HTTP Endpoint into a new flow. Configure a new HTTP Listener Configuration on Port 8081. In the properties view of the HTTP Endpoint configure the HTTP endpoint as follows:

    Field

    Value

    Display Name

    HTTP (or any other name you prefer)

    Exchange Pattern

    request-response

    Path

    /readvault

    Method

    GET

  2. Drag a Vault connector endpoint into the same flow. Select it to open the properties editor console. Next to Connector Configuration click the + sign to add a new connection configuration and add your credentials. Set the rest of the properties as follows:

    usecase 04
  3. Drag an Object to JSON transformer.

  4. Save the project and run it. In a browser, make a request containing the query parameters container and path. For example: http://localhost:8081/readvault?container=vaultapp&path="my-secret".

  5. The value for the secret you requested should be displayed as JSON in your browser.

Resources