Get Started Sign In

Vault secrets management for Cyral in a Kubernetes-automated, AWS environment

Role of Vault in a Cyral deployment

You can configure Cyral to use HashiCorp Vault to store sensitive credentials and certificates. Cyral can load many types of information from a Vault store, including:

  • Repository credentials for SSO mappings. The Cyral authenticator service accepts these as per-repo JSON objects in the format {"repo1":["creds-repo1"]}

  • Certificate chain, server certificate, and private key for mTLS. The Cyral interceptor  service supports mutual TLS (mTLS) authentication and relies on Vault to store the required certificates and keys.

  • Certificate chain, client certificate, and private key for Filebeat. The Cyral sidecar relies on a utility called Filebeat to send log information to Logstash. In this configuration, you can choose to enable TLS and optionally mutual TLS to secure the connection.


Note! In this document, we assume Cyral will authenticate to Vault using AWS authentication. These instructions assume you have a Kubernetes cluster running on AWS Elastic Kubernetes Server (EKS). If you do not have one, you can create a cluster following this guide.

Before you begin integrating Vault into your Cyral deployment, have the following ready:

  • A Vault instance that Cyral can connect to, and administrator access to this Vault instance.

  • Authentication credentials for Cyral's account in your Vault instance. Cyral supports using AWS, Kubernetes or app role authentication for connecting to Vault.

    • To use AWS authentication, we assume that you've created an OIDC provider and an identity provider, and that you've created the AWS IAM roles that we will bind to Kubernetes Service accounts.

  • Optional: The payload you plan to store in Vault. For example:

    • for database credentials, make sure you have the usernames and the passwords for the database accounts.

Add Vault Integration in Cyral Management Console

In the Integrations page of the Cyral Management Console provide the Vault server connectivity and authentication scheme details. Below screenshot is an example configuration. 

Note that in the above example, the Vault server is using aws IAM authentication and the following blob specifies that. In this example “cyral-sidecar” is the name of the role in the Vault server.

method "aws" {

  mount_path = "auth/aws"

  config {

    type = "iam"

    role = "cyral-sidecar"



Associate the Vault integration with your sidecar

When downloading the sidecar template from the Cyral management console, choose the Vault integration that you want the sidecar to use. Below is an example screenshot.

Add database credentials to KV V2 secrets engine

Following example shows adding a single credential set using the vault command line utility. Note that the secret name can be anything, but it is advisable to organize it so that it can be extended to include more repos and credentials.

vault kv put /cyral/dbsecrets/patientdata/analyst username=analyst

vault kv patch /cyral/dbsecrets/patientdata/analyst password=STRONGPASSWORD

# Optional, database name you want users connected to upon login

vault kv patch /cyral/dbsecrets/patientdata/analyst databaseName=finance

Add local accounts and identity maps

In the Cyral management console under each repo, add a local account information pointing to the secret created above. Create an identity map to associate SSO group to a local account.

Below is an example screen shot after adding a local account for user “analyst”.

Below is an example identity map showing association between SSO group “Data Analysts” and local account “analyst”

See also

Vault secrets management for Cyral in a Nomad-automated environment

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.