HashiCorp Vault Onboarding
This section describes how to connect HashiCorp Vault to SailPoint Entro using a read-only ACL policy and access token.
Navigation Path
Management → Accounts & Integrations → Add New Account (top right) → HashiCorp Vault
To connect HashiCorp Vault to SailPoint Entro:
-
Create an ACL Policy
Define a new Vault ACL policy for SailPoint Entro with minimal read permissions:
path "*" { capabilities = ["list", "read"] } path "auth/token/lookup-accessor" { capabilities = ["update"] } path "auth/token/accessors" { capabilities = ["list", "sudo"] } path "auth/token/renew-self" { capabilities = ["update"] }Note
These capabilities allow SailPoint Entro to list and read metadata, manage its authentication session, and ensure token renewal without exposing secret content.
-
Create a Token for SailPoint Entro
Run the following command to create a token using the newly defined policy:
vault token create -policy="entro-policy" -no-default-policy=1 -ttl="30d" -period="30d" -renewable=1For older versions of HashiCorp Vault, use this alternate command (TTL in seconds):
vault token create -policy="entro-policy" -no-default-policy=1 -ttl=432000 -period=432000 -renewable=1Copy the token value and store it securely. You will enter it in SailPoint Entro's onboarding form.
-
Connect Vault to SailPoint Entro
In the SailPoint Entro Dashboard:
-
Navigate to Management → Accounts & Integrations → Add New Account → HashiCorp Vault
-
Enter the following fields:
Field Description Vault Server URL The URL or IP address (including port) of your Vault instance Access Token The token generated in the previous step Environment Nickname A descriptive name for this Vault integration Worker Group (Connector) Select the appropriate Worker Group handling Vault scans -
Select Create Account.
-
SailPoint Entro validates access and begins metadata analysis.
-
Security & Compliance Notes
- Tokens encrypted using AES-256 within SailPoint Entro's Worker Group
- Communication secured via TLS 1.2+
- Integration operates in read-only mode
- Fully compliant with SOC 2 Type II, ISO 27001, and GDPR