-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
HashiCorpVault.yml
344 lines (344 loc) · 12.7 KB
/
HashiCorpVault.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
commonfields:
id: HashiCorp Vault
version: -1
name: HashiCorp Vault
display: HashiCorp Vault
category: Authentication & Identity Management
description: Manage Secrets and Protect Sensitive Data through HashiCorp Vault.
configuration:
- display: HashiCorp server URL (e.g., https://192.168.0.1:8200)
name: server
defaultvalue: ""
type: 0
required: true
- display: Use AppRole Auth Method
name: use_approle
type: 8
required: false
- display: Username / Role ID
displaypassword: Password / Secret ID
name: credentials
defaultvalue: ""
type: 9
required: false
- display: Authentication token
name: token
defaultvalue: ""
type: 4
hidden: true
required: false
- displaypassword: Authentication token
name: credentials_token
hiddenusername: true
type: 9
required: false
- display: Vault enterprise namespace
name: namespace
defaultvalue: ""
type: 0
required: false
- display: Trust any certificate (not secure)
name: unsecure
type: 8
required: false
- display: Use system proxy settings
name: proxy
type: 8
required: false
- display: Fetches credentials
name: isFetchCredentials
defaultvalue: "true"
type: 8
required: false
- display: CSV list of secrets engine types to fetch secrets from
additionalinfo: Possible values are KV, Cubbyhole, AWS.
name: engines
defaultvalue: KV,Cubbyhole
type: 0
required: false
- display: Concat username to credential object name
name: concat_username_to_cred_name
type: 8
additionalinfo: Should be used in case there are several secrets under the same folder in order to make the credential object unique.
required: false
script:
script: ''
type: python
subtype: python3
commands:
- name: hashicorp-list-secrets-engines
arguments: []
outputs:
- contextPath: HashiCorp.Engine.Type
description: Secrets engine type.
type: string
- contextPath: HashiCorp.Engine.Path
description: Secrets engine path in HashiCorp.
type: string
- contextPath: HashiCorp.Engine.Description
description: Secrets engine description.
type: string
- contextPath: HashiCorp.Engine.Accessor
description: Secrets engine accessor.
type: string
description: List all secrets engines that exist in HashiCorp Vault.
- name: hashicorp-list-secrets
arguments:
- name: engine
required: true
default: true
description: Engine path, e.g.,"secret/". Use the list-secrets-engines command to retrieve the engine path.
- name: version
auto: PREDEFINED
predefined:
- "1"
- "2"
description: The version of the KV engine.
defaultValue: "1"
outputs:
- contextPath: HashiCorp.Secret.Path
description: Secret path.
type: string
description: List secrets (names) for a specified KV engine.
- name: hashicorp-get-secret-metadata
arguments:
- name: engine_path
required: true
description: KV Engine path, e.g., "kv/".
- name: secret_path
required: true
description: Secret path, e.g., "secret".
outputs:
- contextPath: HashiCorp.Secret.Created
description: Secret creation time.
type: date
- contextPath: HashiCorp.Secret.Version.Destroyed
description: Is the version destroyed.
type: boolean
- contextPath: HashiCorp.Secret.Version.Created
description: Version creation time.
type: number
- contextPath: HashiCorp.Secret.Version.Deleted
description: Version deletion time.
type: date
- contextPath: HashiCorp.Secret.Updated
description: Secret last updated time.
type: date
- contextPath: HashiCorp.Secret.Engine
description: Secret engine type.
type: string
- contextPath: HashiCorp.Secret.CurrentVersion
description: Secret current version.
type: number
- contextPath: HashiCorp.Secret.Path
description: Secret path.
type: string
description: Returns information about a specified secret in a specified KV V2 engine.
- name: hashicorp-delete-secret
arguments:
- name: secret_path
required: true
description: Secret path, e.g., "secret".
- name: engine_path
required: true
description: Engine path, e.g.,"secret/".
- name: versions
required: true
description: CSV list of secret versions to delete.
isArray: true
description: Deletes the data under a specified secret given the secret path. Performs a soft delete that allows you to run the hashicorp-undelete-secret command if necessary (for KV V2 engine).
- name: hashicorp-undelete-secret
arguments:
- name: secret_path
required: true
description: Secret path, e.g., "secret".
- name: engine_path
required: true
description: Engine path, e.g.,"secret/".
- name: versions
required: true
description: CSV list of secret versions to undelete (restore).
isArray: true
description: Undeletes (restores) a secret on HashiCorp (for KV V2 engine).
- name: hashicorp-destroy-secret
arguments:
- name: secret_path
required: true
description: Secret path, .e.g., "secret".
- name: engine_path
required: true
description: Engine path, e.g.,"secret/".
- name: versions
required: true
description: CSV list of secret versions to permanently delete.
isArray: true
description: Permanently deletes a secret (for KV V2 engine).
- name: hashicorp-disable-engine
arguments:
- name: path
required: true
default: true
description: Path of the secrets engine to disable.
description: When a secrets engine is no longer needed, it can be disabled. All secrets under the engine are revoked and the corresponding vault data and configurations are removed.
- name: hashicorp-enable-engine
arguments:
- name: path
required: true
description: The path where the secrets engine will be mounted.
- name: type
required: true
description: Type of backend, e.g., "aws".
- name: description
description: Friendly description of the mount.
- name: default_lease_ttl
description: The default lease duration, specified as a string duration, e.g., "5s" or "30m".
- name: max_lease_ttl
description: The maximum lease duration, specified as a string duration, e.g., "5s" or "30m".
- name: force_no_cache
description: Whether to disable caching.
- name: audit_non_hmac_request_keys
description: CSV list of keys that will not be HMAC'd by audit devices in the request data object.
isArray: true
- name: audit_non_hmac_response_keys
description: CSV list of keys that will not be HMAC'd by audit devices in the response data object.
isArray: true
- name: listing_visibility
auto: PREDEFINED
predefined:
- unauth
- hidden
description: Whether to show this mount in the UI-specific listing endpoint. Default is hidden.
- name: passthrough_request_headers
description: CSV list of headers to add to allow list and pass from the request to the backend.
isArray: true
- name: kv_version
auto: PREDEFINED
predefined:
- "1"
- "2"
description: KV version to mount. Set to "2" for mount KV V2.
- name: local
description: Specifies if the secrets engine is a local mount only. Local mounts are not replicated, nor (if a secondary) removed by replication. Supported only in Vault Enterprise.
- name: seal_wrap
description: Enable seal wrapping for the mount. Supported only in Vault Enterprise.
description: Enables a new secrets engine at the specified path.
- name: hashicorp-list-policies
arguments: []
outputs:
- contextPath: HashiCorp.Policy.Name
description: Policy name.
type: string
description: Lists all configured policies.
- name: hashicorp-get-policy
arguments:
- name: name
required: true
description: Policy name.
outputs:
- contextPath: HashiCorp.Policy.Name
description: Policy name.
type: string
- contextPath: HashiCorp.Policy.Rule.Path
description: Policy rule path.
type: string
- contextPath: HashiCorp.Policy.Rule.Capabilities
description: Policy rule capabilities.
description: Get information for a policy.
- name: hashicorp-seal-vault
arguments: []
description: If you suspect your data has been compromised, you can seal your vault to prevent access to your secrets.
execution: true
- name: hashicorp-unseal-vault
arguments:
- name: key
description: Single master key.
- name: reset
auto: PREDEFINED
predefined:
- "true"
description: Reset the unseal project.
description: Use a single master key share to unseal the vault. If the master key shares threshold is met, the vault will attempt to unseal the vault. Otherwise, this API must be called until the threshold is met.
- name: hashicorp-configure-engine
arguments:
- name: path
required: true
description: The engine path, e.g., "secret/".
- name: folder
description: Specific folder to fetch secrets from, e.g., "secret-folder/". (Supported only for engine type KV2.)
- name: aws_roles_list
description: A comma-delimited list of roles names to generate credentials for. If not mentioned, we will generate credentials for all roles in the path.
- name: aws_method
auto: PREDEFINED
predefined:
- "GET"
- "POST"
description: A parameter to indicate which type of request we would like to use to generate credentials.
- name: type
auto: PREDEFINED
predefined:
- "KV"
- "Cubbyhole"
- "AWS"
required: true
description: The engine type, e.g., "KV".
- name: version
auto: PREDEFINED
predefined:
- "1"
- "2"
description: The engine version (for KV engines); "1" or "2".
description: Configure a secrets engine to fetch secrets from.
- name: hashicorp-reset-configuration
arguments: []
description: Reset the engines configuration.
- name: hashicorp-create-token
arguments:
- name: role_name
description: The name of the token role.
- name: policies
description: CSV list of policies for the token. This must be a subset of the policies belonging to the token making the request, unless root. If policies are not specified, all policies of the calling token are applied to the new token.
isArray: true
- name: meta
description: A map of string-to-string valued metadata. This is passed through to the audit devices.
- name: no_parent
auto: PREDEFINED
predefined:
- "true"
- "false"
description: If true and set by a root caller, the token will not have the parent token of the caller. This creates a token with no parent.
- name: no_default_policy
auto: PREDEFINED
predefined:
- "true"
- "false"
description: If true the default policy will not be included in this token's policy set.
- name: renewable
auto: PREDEFINED
predefined:
- "true"
- "false"
description: If set to false, the token cannot be renewed past its initial TTL. If set to true, the token can be renewed up to the system/mount maximum TTL.
- name: ttl
description: The TTL(lease duration) period of the token, provided as "10m" or "1h", where hour is the largest suffix. If not provided, the token is valid for the default lease TTL, or indefinitely if the root policy is used.
- name: explicit_max_ttl
description: 'If set, the token will have an explicit max TTL applied to it. The maximum token TTL cannot be changed later, and unlike with normal tokens, updates to the system/mount max TTL value will have no effect at renewal time. The token can never be renewed or used past the value set at issue time.'
- name: display_name
description: The display name of the token.
- name: num_uses
description: The maximum number of times the token can be used. Supply this argument to create a one-time-token, or limited use token. The value of 0 has no limit to the number of uses.
- name: period
description: If specified, the token will be periodic. It will not have a maximum TTL (unless an "explicit-max-ttl" is also set), but every renewal will use the given period. Requires a root/sudo token to use.
outputs:
- contextPath: HashiCorp.Auth.Token
description: Authentication token.
type: string
- contextPath: HashiCorp.Auth.Policy
description: Authentication policies.
- contextPath: HashiCorp.Auth.LeaseDuration
description: Authentication lease duration in seconds, 0 if indefinitely.
type: number
description: Creates a new authentication token.
dockerimage: demisto/vendors-sdk:1.0.0.74116
tests:
- hashicorp_test
fromversion: 5.0.0