Skip to main content

Striim Cloud 4.1.0 documentation

Using vaults

You can use a vault to secure any property value, including passwords, tokens, and keys. This sensitive information is stored as key-value pairs with the value encrypted. Those keys can then be used as variables in TQL without the programmer being able to see the cleartext value.

Note

Striim automatically encrypts values when the property type is com.webaction.security.Password (see Encrypted passwords), but if desired you may specify vault keys for those values.

Striim's native vault stores key-value pairs in Striim's metadata repository.

Striim will encrypt the values using AES-256.

Alternatively, you may store key-value pairs in an Azure Key Vault or Hashicorp Vault's KV Secrets Engine Version 2.

Tip

When handing off applications from development to QA, or from QA to production, create vaults with the same name in different namespaces. If vaults' entries have the same names but different values, the applications can use different connection URLs, user names, passwords, keys, and so on with no need to revise the TQL.

Note

In this release, vault-related commands are available only in the console. There is no web UI counterpart.

Striim native vaults

To create a Striim native vault:

CREATE VAULT <vault_name>;

To add an entry to a Striim native vault, the syntax is:

WRITE INTO <vaultName> (
  vaultKey: "<key>",
  [ valueType: "FILE", ]
  vaultValue : "<value>"
);

If valueType: "FILE" is specified, value must be the fully-qualified name of a file accessible by Striim. (The file can be deleted after the vault entry is created). For example:

WRITE INTO MyVault (
  vaultKey: "MyKey",
  valueType: "FILE",
  vaultValue: "/opt/striim/UploadedFiles/myfile.txt"
);

Otherwise, value must be a string. For example:

WRITE INTO MyVault (
  vaultKey: "MyKey",
  vaultValue: "12345678"
);

Hashicorp vaults

To create a vault component that makes an existing Hashicorp vault available for use in Striim:

CREATE VAULT <vaultName> USING VAULTSPEC (
  VaultType: "HASHICORPVAULT", 
  AccessToken: "<rootToken>",
  ConnectionURL: "<connection_url>",
  Port: "<port>",
  EngineName: "<name>",
  PathToSecret: "<path>",
  AutoRenew: "{true|false}", -- default value is false
  AutoRenewIncrement: "<interval>",
  AutoRenewCheckPeriod: "<interval>"
);

For example, without auto-renew:

CREATE VAULT myvault USING VAULTSPEC (
  VaultType: "HASHICORPVAULT", 
  AccessToken: "**************************",
  ConnectionURL: "https//198.51.100.20",
  Port: "8200",
  EngineName: "secret",
  PathToSecret: "my-secret"
);

Alternatively, to enable auto-renew:

CREATE VAULT myvault USING VAULTSPEC (
  VaultType: "HASHICORPVAULT", 
  AccessToken: "**************************",
  ConnectionURL: "https//198.51.100.20",
  Port: "8200",
  EngineName: "secret",
  PathToSecret: "my-secret",
  AutoRenew: "true",
  AutoRenewIncrement: "7d",
  AutoRenewCheckPeriod: "1d"
);
  • AutoRenewIncrement specifies the time-to-live (expiration) of the tokens (see Token Management).

  • AutoRenewCheckPeriod controls how often Striim will check to see if the current token should be renewed.

  • To ensure that your token is always valid, the AutoRenewCheckPeriod interval must be shorter than the AutoRenewIncrement interval.

  • Valid interval unit indicators are ms for milliseconds, s for seconds, m for minutes, and h for hours, and d for days

You cannot add an entry to a Hashicorp vault in Striim. See Hashicorp's Vault Documentation for instructions on adding entries to KV Secrets Engine Version 2.

Azure Key Vaults

To create a vault component that makes an existing Azure Key Vault available for use in Striim:

CREATE VAULT <vaultName> USING VAULTSPEC (
  VaultType: "AZUREKEYVAULT", 
  ConnectionURL: "<connection_url>",
  ClientID: "<Application (client) ID>",
  ClientSecret: "<Secret ID>",
  TenantID: "<Directory (tenant) ID>"
);

The values to specify are:

  • ConnectionURL: from the Overview page for your Key Vault

  • ClientID: the Application (client) ID from the Overview page for the Azure Active Directory application with read permission on the vault (applications are listed on the Active Directory "App registrations" page)

  • ClientSecret: The Value from the "Certificates & secrets" page for the Active Directory application with read permission on the vault.

  • TenantID: the Directory (tenant) ID from the Overview page for the Azure Active Directory application with read permission on the vault

You cannot add an entry to an Azure Key Vault in Striim. See Microsoft's Add a secret to Key Vault for instructions on adding entries.

Using vault keys as variables in TQL

Specify vault entries in TQL adapter properties with double square brackets. For example:

Username: '[[myvault.myusername]]',
Password: '[[myvault.mypassword]]',

If you are using an Azure Key Vault or Hashicorp Vault and the property expects a value to specify a file, indicate that as follows:

ServiceAccountKey: '[[myvault.my-sa-key, "FILE"]]'

, "FILE" is not required in TQL when using Striim's native vault.

Other vault commands

ALTER VAULT <vault_name> (<property_name>: "<value>");

For a Striim native vault, changes the value of any property.

For an Azure Key Vault or Hashicorp vault, use this command to update the Stiim component with any changes you make in Azure Key Vault or Hashicorp Vault.

When a property's value is updated, any Striim applications that use that property it must be restarted to update the value.

DESCRIBE <vault_name>;

Returns a description of the specified vault component.

DROP VAULT [<namespace>].<vault_name>;

For a Striim native vault, deletes the vault and all its entries.

For an Azure Key Vault or Hashicorp vault, makes it inaccessible by Striim, but has no effect in Azure Key Vault or Hashicorp Vault.

LIST VAULTS;

Returns a list of vaults usable by the current user.

READ ALL FROM <vault_name>;

Returns the encrypted values for all keys in the vault.

READ FROM <vault_name> WHERE vaultKey="<key>";

Returns the encrypted value for the specified key.