id | title | description | keywords | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
vault-auth |
Issuer Node and Vault Authentication |
Learn the two options for authenticating with Vault in the Issuer Node. |
|
The issuer node supports two authentication alternatives to securely store private keys and DIDs within Vault. In this article, we'll guide you through utilizing each of these alternatives assuming you're running the issuer node using Docker and Docker Compose.
This option, an older method utilized by the issuer node, relies on using the root token generated by Vault upon its initialization.
To employ this method, follow these steps:
-
Set the following environment variable in the
.env-issuer
file:ISSUER_VAULT_USERPASS_AUTH_ENABLED=false
Another option is to remove the
ISSUER_VAULT_USERPASS_AUTH_ENABLED
entry from the file to get the default value (false) -
Run the command below to add the Vault token to the
.env-issuer
configuration file:make add-vault-token
After step 2, the .env-issuer
configuration file should contain an entry similar to this:
ISSUER_KEY_STORE_TOKEN=hvs.HW8Qup9s6LBUA0ff8Q1TO6Uc
Finally, start or restart the issuer node to ensure it includes the change in the file.
:::note
You can verify the token generated by Vault to match it with the value in the .env-issuer
file using this command:
`make print-vault-token`
This command will print the Vault token in the terminal, and it should match the one configured in the .env-issuer
file.
:::
Upon Vault startup, an initialization script is executed. Among its tasks, it creates the user issuernode
with the password issuernodepwd
for the issuer node. To use this authentication alternative in Vault, follow these steps:
-
Set the following environment variables in the
.env-issuer
file:ISSUER_VAULT_USERPASS_AUTH_ENABLED=true
ISSUER_VAULT_USERPASS_AUTH_PASSWORD=issuernodepwd
-
Restart the issuer node if necessary.
You might want to change the password for the issuernode
user. To do this, follow these steps:
- Execute
make new_password=new_password change-vault-password
- Update the value of the environment variable in the
.env-issuer
file:ISSUER_VAULT_USERPASS_AUTH_PASSWORD=new_password
- Restart the issuer node if necessary.
:::tip Which Option to Choose?
Well, it depends on the context, where you're running the issuer node, and whether you have permissions to access the Vault-generated token.
:::