Skip to content

Secret Store

The secret store is a central repository in which secrets, such as tokens, passwords and certificates, can be stored.

Edge Xpert uses HashiCorp Vault to allow secure access to the secret store.

The Secret Store deployment consists of the following:

Image Description
Vault The Vault service
SecretStore Setup A service to unseal and initialize vault.
During initialization, client tokens are created for each Edge Xpert microservice. Any microservice started under secure mode can use their token to access Vault

The Vault service is started when either the --secret or the --api-gateway option is used with the edgexpert up command.

To access the Vault user interface, complete the following steps:

  1. Open a browser

  2. Enter the following URL in the Address Bar of the browser:

    http://localhost:8200

The token to use when signing into Vault can be found in /tmp/edgex/secrets/security-secretstore-setup/secrets-token.json.

For further information on Vault, refer to the Secret Store topic of the EdgeX Foundry documentation.

Add a Port Mapping to Allow Access to Vault

In Edge Xpert, the port for accessing Vault is hidden for security reasons. To access Vault and add the certificate and key as secrets, you must update the /etc/edgexpert/docker-compose-security.yaml file.

To allow access to Vault, complete the following steps:

  1. Edit the docker-compose-security.yaml file, as described in Using a Local Docker Compose File

  2. Add the port mapping for vault to the vault section of the docker-compose-security.yaml file, as follows:

    vault:
        hostname: edgex-vault
        ports:
          - "8200:8200/tcp"
        environment:
            VAULT_UI: "true"
    

  3. Save the file

  4. Start the Edge Xpert services from the directory containing your local docker-compose-security.yaml file

Back to top