Skip to content

HashiCorp Vault Onboarding

This section describes how to connect HashiCorp Vault to SailPoint Entro using a read-only ACL policy and access token.


Management → Accounts & Integrations → Add New Account (top right) → HashiCorp Vault


To connect HashiCorp Vault to SailPoint Entro:

  1. Create an ACL Policy

    Define a new Vault ACL policy for SailPoint Entro with minimal read permissions:

    path "*" {
      capabilities = ["list", "read"]
    }
    path "auth/token/lookup-accessor" {
      capabilities = ["update"]
    }
    path "auth/token/accessors" {
      capabilities = ["list", "sudo"]
    }
    path "auth/token/renew-self" {
      capabilities = ["update"]
    }
    

    Note

    These capabilities allow SailPoint Entro to list and read metadata, manage its authentication session, and ensure token renewal without exposing secret content.

  2. Create a Token for SailPoint Entro

    Run the following command to create a token using the newly defined policy:

    vault token create -policy="entro-policy" -no-default-policy=1 -ttl="30d" -period="30d" -renewable=1
    

    For older versions of HashiCorp Vault, use this alternate command (TTL in seconds):

    vault token create -policy="entro-policy" -no-default-policy=1 -ttl=432000 -period=432000 -renewable=1
    

    Copy the token value and store it securely. You will enter it in SailPoint Entro's onboarding form.

  3. Connect Vault to SailPoint Entro

    In the SailPoint Entro Dashboard:

    • Navigate to Management → Accounts & Integrations → Add New Account → HashiCorp Vault

    • Enter the following fields:

    Field Description
    Vault Server URL The URL or IP address (including port) of your Vault instance
    Access Token The token generated in the previous step
    Environment Nickname A descriptive name for this Vault integration
    Worker Group (Connector) Select the appropriate Worker Group handling Vault scans
    • Select Create Account.

    • SailPoint Entro validates access and begins metadata analysis.


Security & Compliance Notes

  • Tokens encrypted using AES-256 within SailPoint Entro's Worker Group
  • Communication secured via TLS 1.2+
  • Integration operates in read-only mode
  • Fully compliant with SOC 2 Type II, ISO 27001, and GDPR