Configure the HashiCorp Vault Integration for Tenable Vulnerability Management
Required User Role: Standard, Scan Manager, or Administrator
The Tenable HashiCorp Vault integration exists as an authentication method within the SSH, Windows, Database, IBM DataPower Gateway, and SNMPv3 credentials in Tenable Vulnerability Management scan policies.
Required Permissions
To ensure that the Tenable Vulnerability Management and the HashiCorp Vault integration functions correctly, you must configure all essential permissions.
API Requirements
-
Log into HashiCorp Vault, go to Authentication Methods, and enable either AppRole or TLS Certificates that Tenable uses for access during scans. Identify and record the path to this method, since it serves as the Authentication URL within the integration scan credentials.
-
In your HashiCorp Vault server, set up the specific secrets engine you intend to utilize. Supported options include the KV, LDAP, AD, or SSH engines. Identify and record the path to them, since it serves as the Engine URL within the integration scan credentials.
-
Proceed to the Policies segment of the HashiCorp Vault interface and select your_ACL_policy_name; subsequently, configure or modify the policy capabilities for each applicable secrets engine to grant read permissions.
Note: For privilege escalation scans (SSH only), ensure the authentication method also has read access to the escalation credential path.
HashiCorp requires API URLs to be formatted in a specific way. The URL must start with /v1/ and not end with a /. Refer to the following table for examples.
| URL Type | Description | Required |
|---|---|---|
| KV1 Engine URL (KV1) | The URL HashiCorp Vault uses to access the KV1 engine. Example: /v1/secret. No trailing / | Yes, if you select the KV1 Vault Type |
| KV2 Engine URL (KV2) | The URL HashiCorp Vault uses to access the KV2 engine. Example: /v1/secret. No trailing / | Yes, if you select the KV2 Vault Type |
| AD Engine URL (AD) | The URL HashiCorp Vault uses to access the active directory engine. Example: /v1/ad/creds. No trailing / | Yes, if you select the AD Vault Type |
| LDAP Engine URL (LDAP) | The URL HashiCorp Vault uses to access the lightweight directory access protocol engine. Example: /v1/ldap/static-cred. No trailing / | Yes, if you select the LDAP Vault Type |
| SSH Signed Certificates | The URL HashiCorp Vault uses to access the SSH engine. Example: /v1/ssh-client-signer/issue/my-role. No trailing / | Yes, if you select the SSH Signed Certificates Vault Type |