Configure the HashiCorp Vault Integration for Tenable Security Center

Required User Role: Standard, Scan Manager, or Administrator

The Tenable HashiCorp Vault integration exists as an authentication method within the SSH, Windows, and Database credentials in Tenable Security Center scan policies.

Required Permissions

To ensure that the Tenable Security Center and the HashiCorp Vault integration functions correctly, you must configure all essential permissions.

API Requirements

  1. Log into HashiCorp Vault, go to Authentication Methods, and enable either AppRole or TLS Certificates that Tenable uses for access during scans. Identify and record the path to this method, since it serves as the Authentication URL within the integration scan credentials.

  2. In your HashiCorp Vault server, set up the specific secrets engine you intend to utilize. Supported options include the KV, LDAP, AD, or SSH engines. Identify and record the path to them, since it serves as the Engine URL within the integration scan credentials.

  3. Proceed to the Policies segment of the HashiCorp Vault interface and select your_ACL_policy_name; subsequently, configure or modify the policy capabilities for each applicable secrets engine to grant read permissions.

Note: For privilege escalation scans (SSH only), ensure the authentication method also has read access to the escalation credential path.

HashiCorp requires API URLs to be formatted in a specific way. The URL must start with /v1/ and not end with a /. Refer to the following table for examples.

URL Type Description Required
KV1 Engine URL (KV1) The URL HashiCorp Vault uses to access the KV1 engine. Example: /v1/secret. No trailing / Yes, if you select the KV1 Vault Type
KV2 Engine URL (KV2) The URL HashiCorp Vault uses to access the KV2 engine. Example: /v1/secret. No trailing / Yes, if you select the KV2 Vault Type
AD Engine URL (AD) The URL HashiCorp Vault uses to access the active directory engine. Example: /v1/ad/creds. No trailing / Yes, if you select the AD Vault Type
LDAP Engine URL (LDAP) The URL HashiCorp Vault uses to access the lightweight directory access protocol engine. Example: /v1/ldap/static-cred. No trailing / Yes, if you select the LDAP Vault Type