I have a running vault server, I enabled transit secret engine and created a vault transit secret backend_key through terraform.
resource "vault_mount" "transit" {
path = "transit"
type = "transit"
}
resource "vault_transit_secret_backend_key" "transit_key" {
backend = vault_mount.transit.path
name = "test-pagination-key"
type = "chacha20-poly1305"
}
I am able to see the generated backend key in vault UI
Post the creation of this key, I need to go inside key actions and select datakey and select plaintext key and hit “create datakey” to fetch the backend key in plain text format.
I need the data key inside helm chart for my application to make use of it.
How to fetch that data key through the vault agent???, I can use the annotations in the deployment object like
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-status: "update"
vault.hashicorp.com/agent-inject-secret-pagination-key: "transit/test-pagination-key"
But the data key is not stored directly inside the vault as key value pair, we have to generate the datakey in plain text as shown in the images above.
How can I fetch the data key in plain text from transit backend key??
references There is an API call I can see from vault documentation, Document
sample request
curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/transit/datakey/plaintext/my-key
sample response
{
"data": {
"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveAo=",
"ciphertext": "vault:v1:abcdefgh"
}
}
or there is an alternate cli call, sample below
vault write -f transit/datakey/plaintext/orders
Key Value
--- -----
ciphertext vault:v6:muu3qQr8beEnEpCoi3225rCe60V2abzjWy7MC7+1XE5pl7JX4RM+7o65+sly0wwG1HEJaUstEhwVhBro
key_version 6
plaintext JGrAH+uy+iuYfqIf0DtMBCYc/x7PYQ3NFKkF8+hsFqo=
How can I make this API call or CLI call using the vault agent ??
Kindly gimme some path to proceed forward in this issue