Skip to content

SecretStore Setup

Overview

The Security SecretStore Setup (previously Vault Worker) is responsible for doing the following:

  • Create tokens for each microservice to access Vault
  • Create random Redis password for each microservice to access Redis database

Note

As of Edge Xpert 2.0, the service name was changed from vault-worker to secretstore-setup.

How to get Vault root token

To get access to secrets for each microservice in vault, complete the following steps:

1.Add environment variables for vault and secretstore-setup services to your local docker-compose-security.yml

services:
  vault:
    ports:
      - "8200:8200"
    environment:
      VAULT_UI: "true"

  secretstore-setup:
    environment:
      SECRETSTORE_REVOKEROOTTOKENS: "false"

Note

For the usage of adding environment variable to the local docker-compose-security.yml, please refer to docker-compose override

2.Reveal the contents of the resp-init.json file stored in a Docker volume and extract the root_token field value from the resulting JSON output.

$ docker run --rm -ti -v edgexpert_vault-config:/vault/config:ro alpine:latest cat /vault/config/assets/resp-init.json

3.Go to http://localhost:8200 and get access to each microservice's secret at the following path: ui/vault/secrets/secret/list/edgex/

Note

If you want to access the database directly, you are recommended to retrieve the password from Vault. However, as the Security SecretStore Setup microservice does not create a token for use by external services, this cannot be done. For further information and a workaround, see Known Issues