Vault¶
HashiCorp Vault is our secrets management platform. It stores API keys, database credentials, certificates, and other sensitive data.
| URL | vault.shared.cwiq.io |
| Login | SSO via Authentik (OIDC method) |
Accessing the Vault UI¶
- Open vault.shared.cwiq.io (requires Tailscale)
- Select OIDC as the authentication method
- Click Sign in with OIDC
- Authenticate with your Google account via Authentik
Key Concepts¶
| Concept | Description |
|---|---|
| Secret Engine | A backend that stores secrets (e.g., kv-v2 for key-value pairs) |
| Path | Location of a secret (e.g., secret/orchestrator/server/database) |
| Policy | Rules defining who can read/write which paths |
| AppRole | Machine authentication method used by CI/CD and services |
Reading Secrets (UI)¶
- Navigate to Secrets Engines in the sidebar
- Click the
secret/engine - Browse the folder structure to find your secret
- Click a secret to view its key-value pairs
- Click the eye icon to reveal values
Reading Secrets (CLI)¶
# Login via OIDC
vault login -method=oidc
# Read a secret
vault kv get secret/orchestrator/server/database
# Get a specific field
vault kv get -field=password secret/orchestrator/server/database
Common Secret Paths¶
| Path | Contains |
|---|---|
secret/orchestrator/server/* |
Backend API secrets |
secret/orchestrator/ui/* |
Frontend configuration |
secret/sonarqube/* |
SonarQube credentials |
secret/defectdojo/* |
DefectDojo API tokens |
For CI/CD Usage¶
Secrets are accessed in CI/CD pipelines using Vault JWT authentication. See Vault Secrets in CI for details.
Policies¶
Your access is determined by your team's Vault policy. If you need access to a path you can't read, contact your admin.