Launching the Platform/Self-hosted: On-prem/Prerequisites

Secret management

Configure secret management for your self-hosted platform

Overview

Platform Options

  • HashiCorp Vault
  • GCP Secret Manager
  • AWS Secret Manager

Key Features

  • Secrets management
  • Encryption key storage
  • Secure credentials handling
  • Private key management

Deployment options

GCP Secret Manager Setup

Enable the Secret Manager API

  • Go to Google Cloud Console
  • Navigate to Secret Manager
  • Enable the Secret Manager API for your project

Create Service Account

  • Navigate to IAM & Admin > Service Accounts
  • Create a new service account
  • Grant the following roles:
    • Secret Manager Admin

Download Credentials

  • Create and download a JSON key for the service account
  • Keep this file secure - you'll need it during platform installation

GCP Secret Manager provides:

  • Fully managed service
  • Automatic replication
  • Fine-grained IAM controls
  • Audit logging

Helm Chart Values:

# values.yaml for Helm installation
gcpSecretManager:
  # -- Enable Google Secret Manager integration
  enabled: true
  # -- The Google Cloud project ID
  projectId: "your-project-id"
  # -- The Google Cloud service account credentials JSON
  credentials: |
    {
      // Your service account JSON key
    }

Make sure to:

  1. Enable Google Secret Manager in your Helm values
  2. Use the same project ID and credentials as in your platform configuration
  3. Properly format the service account JSON credentials

HashiCorp Cloud Platform Setup

Create Vault Cluster

  • Sign up for HashiCorp Cloud
  • Choose Development tier (sufficient for most setups)
  • Select "Start from Scratch" template
  • Pick your preferred region

Configure Secret Engines

vault secrets enable -path=ethereum kv-v2
vault secrets enable -path=ipfs kv-v2
vault secrets enable -path=fabric kv-v2

Set Up Authentication

# Enable AppRole auth method
vault auth enable approle

# Create platform policy
vault policy write btp - <<EOF
path "ethereum/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "fabric/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "ipfs/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
EOF

Create Platform Role

vault write auth/approle/role/platform-role \
    token_ttl=1h \
    token_max_ttl=4h \
    secret_id_ttl=0 \
    policies="btp"

Generate Credentials

# Get Role ID
vault read auth/approle/role/platform-role/role-id

# Generate Secret ID
vault write -force auth/approle/role/platform-role/secret-id

TTL Configuration

  • token_ttl: How long tokens are valid (e.g., 1h, 24h, 30m)
  • token_max_ttl: Maximum token lifetime including renewals
  • secret_id_ttl: How long secret IDs remain valid
    • Set to 0 for non-expiring secret IDs
    • Or specify duration like 6h, 24h, 168h (1 week)

HCP Vault provides:

  • Managed infrastructure
  • Automatic updates
  • Built-in high availability
  • Professional support

Helm Chart Installation

Install Vault

helm upgrade --install vault vault \
  --repo https://helm.releases.hashicorp.com \
  --namespace vault \
  --create-namespace

Initialize Vault

# Initialize and save keys
kubectl exec vault-0 -n vault -- vault operator init \
  -key-shares=1 \
  -key-threshold=1

# Unseal Vault (replace with your key)
kubectl exec vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEY

Configure Vault

Follow the same configuration steps as HCP Vault (steps 2-5) after logging in with the root token.

For Production Use:

  • Use multiple key shares
  • Configure proper storage backend
  • Set up high availability
  • Implement proper unsealing strategy

AWS Secret Manager Setup

Create IAM User

  • Go to AWS IAM Console
  • Create a new IAM user
  • Grant the following permissions:
    • secretsmanager:CreateSecret
    • secretsmanager:GetSecretValue
    • secretsmanager:PutSecretValue
    • secretsmanager:DeleteSecret
    • secretsmanager:ListSecrets

Generate Access Keys

  • In the IAM console, select your user
  • Go to "Security credentials" tab
  • Create new access key
  • Save both the Access Key ID and Secret Access Key

AWS Secret Manager provides:

  • Regional availability
  • Automatic encryption
  • Fine-grained IAM controls
  • AWS CloudTrail integration

Helm Chart Values:

# values.yaml for Helm installation
awsSecretManager:
  # -- Enable AWS Secret Manager integration
  enabled: true
  # -- The AWS region
  region: 'us-east-1'
  # -- The AWS access key ID
  accessKeyId: 'your-access-key-id'
  # -- The AWS secret access key
  secretAccessKey: 'your-secret-access-key'

Information collection

Required values for platform installation

Choose one of the following configurations for your Helm values:

For GCP Secret Manager:

  • GCP Project ID
  • Service Account JSON key
# Values.yaml
vault:
  enabled: false
awsSecretManager:
  enabled: false
gcpSecretManager:
  enabled: true
  projectId: "your-project-id"
  credentials: |
    {
      // Your service account JSON key
    }

For HashiCorp Vault:

  • Vault address/endpoint
  • Role ID
  • Secret ID
  • Namespace (if using HCP Vault: admin)
# Values.yaml
googleSecretManager:
  enabled: false
awsSecretManager:
  enabled: false
vault:
  enabled: true
  address: "https://vault-cluster.hashicorp.cloud:8200"
  namespace: "admin" # Required for HCP Vault
  roleId: "your-role-id"
  secretId: "your-secret-id"

For AWS Secret Manager:

  • AWS Region
  • AWS Access Key ID
  • AWS Secret Access Key
# Values.yaml
vault:
  enabled: false
gcpSecretManager:
  enabled: false
awsSecretManager:
  enabled: true
  region: "your-aws-region"
  accessKeyId: "your-access-key-id"
  secretAccessKey: "your-secret-access-key"

Make sure to:

  1. Enable only one secret management solution
  2. Explicitly disable all other secret management options by setting enabled: false
  3. Provide all required values for your chosen solution

Validation

# Set environment variables
export GOOGLE_APPLICATION_CREDENTIALS="path/to/service-account.json"
export PROJECT_ID="your-project-id"

# Verify access
gcloud secrets list --project=$PROJECT_ID
# Set environment variables
export VAULT_ADDR="your-vault-address"
export VAULT_NAMESPACE="admin"  # For HCP Vault
export VAULT_ROLE_ID="your-role-id"
export VAULT_SECRET_ID="your-secret-id"

# Verify access
vault write auth/approle/login \
  role_id=$VAULT_ROLE_ID \
  secret_id=$VAULT_SECRET_ID
# Set environment variables
export AWS_ACCESS_KEY_ID="your-access-key-id"
export AWS_SECRET_ACCESS_KEY="your-secret-access-key"
export AWS_REGION="your-aws-region"

# Verify access (requires AWS CLI)
aws secretsmanager list-secrets

Troubleshooting

GCP Secret Manager Issues

  • Verify service account permissions
  • Check credentials file format
  • Confirm API is enabled
  • Validate project ID

AWS Secret Manager Issues

  • Verify IAM permissions
  • Check access key validity
  • Confirm region setting
  • Validate network access

Need help? Contact [email protected] if you encounter any issues.