13 Storage of secrets

    Overview

    • user macro values
    • database access credentials

    Zabbix provides read-only access to the secrets in Vault, assuming that secrets are managed by someone else.

    User macro values

    It is possible to store user macro values secretly in Vault.

    A “Vault secret“ value of a user macro contains a reference path (as ‘path:key’, for example “secret/zabbix:password”).

    The following commands may be used to set the value for the path mentioned in example:

    It is also possible to trigger refresh of secret values from Vault, using a ‘secrets_reload’ command line .

    Zabbix proxy never communicates with Vault to get any secrets other than database credentials. Secret values on Zabbix proxy are retrieved from Zabbix server on each configuration sync and stored in configuration cache the same way as on Zabbix server.

    That means a Zabbix proxy cannot start data collection after a restart until it receives the configuration data update from Zabbix server for the first time. Encryption must be enabled between Zabbix server and proxy; otherwise a server warning message is logged.

    Database credentials

    It is supported to store database credentials used by Zabbix server, proxies and frontend secretly in Vault:

    • For server/proxy the VaultDBPath configuration parameter may be used to specify the path from where credentials for database will be retrieved by keys ‘password’ and ‘username’ (for example: secret/zabbix/database).

    The following commands may be used to set the values for the path mentioned in example:

    Configuration parameters

    For Zabbix server/proxy new configuration parameters have been added for Vault authentication and retrieving database credentials:

    • VaultToken - Vault authentication token (see Zabbix server/ configuration file for details)
    • VaultURL - Vault server HTTP[S] URL

    Zabbix server and Zabbix proxy read the Vault-related configuration parameters from zabbix_server.conf and zabbix_proxy.conf upon startup.

    Zabbix server and Zabbix proxy will additionally read “VAULT_TOKEN” environment variable once during startup and unset it so that it would not be available through forked scripts; it is an error if both VaultToken and VAULT_TOKEN contain value.

    Configuring TLS

    Certificate signed by a certificate authority (CA) should be added to the default CA store. Alternatively a custom CA store location can be specified using the SSLCALocation configuration parameter; note that in this case the certificate directory must be prepared using the openssl c_rehash utility, for example configure SSLCALocation and copy “ca.pem” inside that directory, then run the following command: