Skip to content

Latest commit

 

History

History
56 lines (38 loc) · 2.73 KB

creating-accounts.md

File metadata and controls

56 lines (38 loc) · 2.73 KB

Creating accounts

New accounts can be created and stored directly into the Vault by using the account plugin RPC API or CLI.

A json config must be provided to the API/CLI when creating accounts. Example:

{
    "secretName": "myacct",
    "overwriteProtection": {
      "currentVersion": 4
    }
}
Field Description
secretName Secret name/path the plugin will store the new account at
overwriteProtection.currentVersion
or
overwriteProtection.insecureDisable		 Current integer version of this secret in Vault (0 if no previous version exists)
or
Disable overwrite protection

kv secret engine

The plugin creates the account in memory, writes it to Vault, and zeros the private key. The plugin never writes the private key to the node's disk.

overwriteProtection

Typical usage will be to create separate Vault secrets for each account. However, KV v2 secret engines also support secret versioning.

The plugin uses KV v2's Check-And-Set (CAS) feature to protect against accidentally creating a new version of an existing secret.

If a secret with the same name already exists, currentVersion must be provided and must equal the current version number of the secret.

The CAS check can be skipped by setting "insecureDisable": "true".

Warning: Prevent accidental loss of account data

The K/V Version 2 secret engine supports versioning of secrets, however only a limited number of versions are retained (10 by default).

This max-versions number can be set during creation of the secret engine or changed at a later date by using the Vault HTTP API or Vault CLI:

vault kv metadata put -max-versions <num> <kvEngineName>/<secretName>

quorum-signer secret engine

The plugin makes a request to the quorum-signer secret-engine to create a new account. The account private key only exists within the Vault boundary.

overwriteProtection

The quorum-signer secret-engine does not support automatic versioning of secrets.

Therefore, when using quorum-signer secret-engines:

  • Attempting to create a new account with the same secretName as an existing account will result in an error. This prevents accidentally overwriting existing accounts.
  • The overwriteProtection section of the new account config does not need to be defined