> ## Documentation Index
> Fetch the complete documentation index at: https://infisical-test-ldap-connection.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# HashiCorp Vault

> How to sync secrets from Infisical to HashiCorp Vault

<Note>
  Infisical connects to Vault via the AppRole auth method.

  Currently, each Infisical project can only point and sync secrets to one Vault cluster / namespace
  but with unlimited integrations to different paths within it.

  This tutorial makes use of Vault's UI but, in principle, instructions can executed via
  Vault CLI or API call.

  Lastly, you should note that we provide a simple use-case and, in practice, you should adapt and extend it to your own Vault use-case and follow best practices, for instance when defining fine-grained ACL policies.
</Note>

Prerequisites:

* Set up and add envars to [Infisical Cloud](https://app.infisical.com)
* Have experience with [HashiCorp Vault](https://www.vaultproject.io/).

## Navigate to your project's integrations tab

![integrations](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations.png)

## Prepare Vault

This section mirrors the latter parts of the [Vault quickstart](https://developer.hashicorp.com/vault/tutorials/cloud/getting-started-intro) provided by HashiCorp and uses sample names/values for demonstration.

To begin, navigate to the cluster / namespace that you want to sync secrets to in Vault; we'll use the default `admin` namespace (in practice, we recommend creating a namespace and not using the default `admin` namespace).

### Enable KV Secrets Engine

In Secrets, enable a KV Secrets Engine at a path for Infisical to sync secrets to; we'll use the path `kv`.

![integrations hashicorp vault secrets engine](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-engine-1.png)
![integrations hashicorp vault secrets engine](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-engine-2.png)
![integrations hashicorp vault secrets engine](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-engine-3.png)

### Enable the AppRole auth method

In Access > Auth Methods, enable the AppRole auth method.

![integrations hashicorp vault access](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-access-1.png)
![integrations hashicorp vault access](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-access-2.png)
![integrations hashicorp vault access](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-access-3.png)

### Create an ACL Policy

Now in Policies, create a new ACL policy scoped to the path(s) you wish Infisical to be able to sync secrets to.

We'll call the policy `test` and have it grant access to the `dev` path in the KV Secrets Engine where we will be syncing secrets to from Infisical.

```console
path "kv/data/dev" {
  capabilities = [ "create", "read", "update" ]
}

path "sys/namespaces/*" {
   capabilities = [ "create", "read", "update", "delete", "list" ]
}
```

<Note>
  `kv` comes from the path of the KV Secrets Engine that we enabled and `dev` is the chosen path within it
  that we want to sync secrets to.
</Note>

![integrations hashicorp vault policy](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-policy-1.png)
![integrations hashicorp vault policy](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-policy-2.png)
![integrations hashicorp vault policy](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-policy-3.png)

### Create a role with the policy attached

We now create a `infisical` role with the generated token's time-to-live (TTL) set to 1 hour and can be renewed for up to 4 hours from the time of its creation.

1. Click the Vault CLI shell icon (`>_`) to open a command shell in the browser.

![integrations hashicorp vault shell](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-shell.png)

2. Copy the command below.

```console
vault write auth/approle/role/infisical token_policies="test" token_ttl=1h token_max_ttl=4h
```

3. Paste the command into the command shell in the browser and press the enter button.

### Generate a RoleID and SecretID

Finally, we need to generate a **RoleID** and **SecretID** (like a username and password) that Infisical can use
to authenticate with Vault.

1. Click the Vault CLI shell icon (>\_) again to open a command shell.

2. Read the RoleID.

```console
vault read auth/approle/role/infisical/role-id
```

Example output:

```console
Key     Value
role_id b6ccdcca-183b-ce9c-6b98-b556b9a0edb9
```

3. Generate a new SecretID of the `infisical` role.

```console
vault write -force auth/approle/role/infisical/secret-id
```

Example output:

```console
Key                Value
secret_id          735a47cc-7a98-77cc-0128-12b1e96a4157
secret_id_accessor 3ab305d1-1eab-df4b-4079-ef7135635c49
...snip...
```

Great. We're now ready to connect Infisical to Vault!

## Enter your Vault instance and authentication details

Back in Infisical, press on the HashiCorp Vault tile and input your Vault instance and `infisical` role RoleID and SecretID.

![integrations hashicorp vault authorization](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-auth.png)

For additional details on each field:

* Vault Cluster URL: The address of your cluster, either HCP or self-hosted.

If using HCP, you can copy your Cluster URL in the Cluster Overview:

![integrations hashicorp vault cluster URL](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-cluster-url.png)

* Vault Namespace: The Vault namespace you wish to connect to.
* Vault RoleID: The RoleID previously created for the `infisical` role.
* Vault SecretID: The SecretID previously created for the `infisical` role.

## Start integration

Select which Infisical environment secrets you want to sync to Vault.

For additional details on each field:

* Vault KV Secrets Engine Path: the path at which you enabled the intended KV Secrets Engine; in this demonstration, we used `kv`.
* Vault Secret(s) Path: the path in the KV Secrets Engine that you wish to sync secrets to.

Press create integration to start syncing secrets to Vault.

![integrations hashicorp vault](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault-create.png)
![integrations hashicorp vault](https://mintlify.s3-us-west-1.amazonaws.com/infisical-test-ldap-connection/images/integrations/hashicorp-vault/integrations-hashicorp-vault.png)
