Launching the Platform/Self-hosted: On-prem/Prerequisites
Secret management
Configure secret management for your self-hosted platform
Overview
Platform Options
- HashiCorp Vault
- GCP Secret Manager
- AWS Secret Manager
Key Features
- Secrets management
- Encryption key storage
- Secure credentials handling
- Private key management
Deployment options
GCP Secret Manager Setup
Enable the Secret Manager API
- Go to Google Cloud Console
- Navigate to Secret Manager
- Enable the Secret Manager API for your project
Create Service Account
- Navigate to IAM & Admin > Service Accounts
- Create a new service account
- Grant the following roles:
Secret Manager Admin
Download Credentials
- Create and download a JSON key for the service account
- Keep this file secure - you'll need it during platform installation
GCP Secret Manager provides:
- Fully managed service
- Automatic replication
- Fine-grained IAM controls
- Audit logging
Helm Chart Values:
# values.yaml for Helm installation
gcpSecretManager:
# -- Enable Google Secret Manager integration
enabled: true
# -- The Google Cloud project ID
projectId: "your-project-id"
# -- The Google Cloud service account credentials JSON
credentials: |
{
// Your service account JSON key
}Make sure to:
- Enable Google Secret Manager in your Helm values
- Use the same project ID and credentials as in your platform configuration
- Properly format the service account JSON credentials
HashiCorp Cloud Platform Setup
Create Vault Cluster
- Sign up for HashiCorp Cloud
- Choose Development tier (sufficient for most setups)
- Select "Start from Scratch" template
- Pick your preferred region
Configure Secret Engines
vault secrets enable -path=ethereum kv-v2
vault secrets enable -path=ipfs kv-v2
vault secrets enable -path=fabric kv-v2Set Up Authentication
# Enable AppRole auth method
vault auth enable approle
# Create platform policy
vault policy write btp - <<EOF
path "ethereum/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "fabric/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "ipfs/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOFCreate Platform Role
vault write auth/approle/role/platform-role \
token_ttl=1h \
token_max_ttl=4h \
secret_id_ttl=0 \
policies="btp"Generate Credentials
# Get Role ID
vault read auth/approle/role/platform-role/role-id
# Generate Secret ID
vault write -force auth/approle/role/platform-role/secret-idTTL Configuration
token_ttl: How long tokens are valid (e.g.,1h,24h,30m)token_max_ttl: Maximum token lifetime including renewalssecret_id_ttl: How long secret IDs remain valid- Set to
0for non-expiring secret IDs - Or specify duration like
6h,24h,168h(1 week)
- Set to
HCP Vault provides:
- Managed infrastructure
- Automatic updates
- Built-in high availability
- Professional support
Helm Chart Installation
Install Vault
helm upgrade --install vault vault \
--repo https://helm.releases.hashicorp.com \
--namespace vault \
--create-namespaceInitialize Vault
# Initialize and save keys
kubectl exec vault-0 -n vault -- vault operator init \
-key-shares=1 \
-key-threshold=1
# Unseal Vault (replace with your key)
kubectl exec vault-0 -n vault -- vault operator unseal $VAULT_UNSEAL_KEYConfigure Vault
Follow the same configuration steps as HCP Vault (steps 2-5) after logging in with the root token.
For Production Use:
- Use multiple key shares
- Configure proper storage backend
- Set up high availability
- Implement proper unsealing strategy
AWS Secret Manager Setup
Create IAM User
- Go to AWS IAM Console
- Create a new IAM user
- Grant the following permissions:
secretsmanager:CreateSecretsecretsmanager:GetSecretValuesecretsmanager:PutSecretValuesecretsmanager:DeleteSecretsecretsmanager:ListSecrets
Generate Access Keys
- In the IAM console, select your user
- Go to "Security credentials" tab
- Create new access key
- Save both the Access Key ID and Secret Access Key
AWS Secret Manager provides:
- Regional availability
- Automatic encryption
- Fine-grained IAM controls
- AWS CloudTrail integration
Helm Chart Values:
# values.yaml for Helm installation
awsSecretManager:
# -- Enable AWS Secret Manager integration
enabled: true
# -- The AWS region
region: 'us-east-1'
# -- The AWS access key ID
accessKeyId: 'your-access-key-id'
# -- The AWS secret access key
secretAccessKey: 'your-secret-access-key'Information collection
Required values for platform installation
Choose one of the following configurations for your Helm values:
For GCP Secret Manager:
- GCP Project ID
- Service Account JSON key
# Values.yaml
vault:
enabled: false
awsSecretManager:
enabled: false
gcpSecretManager:
enabled: true
projectId: "your-project-id"
credentials: |
{
// Your service account JSON key
}For HashiCorp Vault:
- Vault address/endpoint
- Role ID
- Secret ID
- Namespace (if using HCP Vault:
admin)
# Values.yaml
googleSecretManager:
enabled: false
awsSecretManager:
enabled: false
vault:
enabled: true
address: "https://vault-cluster.hashicorp.cloud:8200"
namespace: "admin" # Required for HCP Vault
roleId: "your-role-id"
secretId: "your-secret-id"For AWS Secret Manager:
- AWS Region
- AWS Access Key ID
- AWS Secret Access Key
# Values.yaml
vault:
enabled: false
gcpSecretManager:
enabled: false
awsSecretManager:
enabled: true
region: "your-aws-region"
accessKeyId: "your-access-key-id"
secretAccessKey: "your-secret-access-key"Make sure to:
- Enable only one secret management solution
- Explicitly disable all other secret management options by setting
enabled: false - Provide all required values for your chosen solution
Validation
# Set environment variables
export GOOGLE_APPLICATION_CREDENTIALS="path/to/service-account.json"
export PROJECT_ID="your-project-id"
# Verify access
gcloud secrets list --project=$PROJECT_ID# Set environment variables
export VAULT_ADDR="your-vault-address"
export VAULT_NAMESPACE="admin" # For HCP Vault
export VAULT_ROLE_ID="your-role-id"
export VAULT_SECRET_ID="your-secret-id"
# Verify access
vault write auth/approle/login \
role_id=$VAULT_ROLE_ID \
secret_id=$VAULT_SECRET_ID# Set environment variables
export AWS_ACCESS_KEY_ID="your-access-key-id"
export AWS_SECRET_ACCESS_KEY="your-secret-access-key"
export AWS_REGION="your-aws-region"
# Verify access (requires AWS CLI)
aws secretsmanager list-secretsTroubleshooting
GCP Secret Manager Issues
- Verify service account permissions
- Check credentials file format
- Confirm API is enabled
- Validate project ID
Vault Issues - Verify Vault address - Check network access - Confirm TLS
settings - Validate namespace (HCP)
AWS Secret Manager Issues
- Verify IAM permissions
- Check access key validity
- Confirm region setting
- Validate network access
Need help? Contact [email protected] if you encounter any issues.