HashiCorp configuration

    The vault should be deployed and configured as per the official HashiCorp documentation.

    To learn about configuring TLS in Zabbix, see section.

    Access to a secret with database credentials is configured for each Zabbix component separately.

    Server and proxies

    To obtain database credentials for Zabbix server or from the vault, specify the following configuration parameters in the configuration file:

    • Vault - specifies which vault provider should be used.

    • VaultToken - vault authentication token (see Zabbix server/proxy configuration file for details).

    • VaultDBPath - path to the vault secret containing database credentials. Zabbix server or proxy will retrieve the credentials by keys ‘password’ and ‘username’.

    Zabbix server also uses these configuration parameters (except VaultDBPath) for vault authentication when processing vault secret macros.

    Zabbix server and Zabbix proxy read the vault-related configuration parameters from zabbix_server.conf and zabbix_proxy.conf upon startup.

    Example

    In zabbix_server.conf, specify:

    Run the following CLI commands to create required secret in the vault:

    As a result of this configuration, Zabbix server will retrieve the following credentials for database authentication:

    • Username: zabbix
    • Password: <password>

    Frontend

    To obtain database credentials for Zabbix frontend from the vault, specify required settings during frontend .

    At the Configure DB Connection step, set Store credentials in parameter to HashiCorp Vault.

    Then, fill in additional parameters:

    User macro values

    HashiCorp configuration - 图2

    • Zabbix server is to work with HashiCorp Vault.

    The macro value should contain a reference path (as , for example, ). The authentication token specified during Zabbix server configuration (by ‘VaultToken’ parameter) must provide read-only access to this path.

    See Vault secret macros for detailed information about macro value processing by Zabbix.

    Path syntax

    The symbols forward slash and colon are reserved. A forward slash can only be used to separate a mount point from a path (e.g. secret/zabbix where the mount point is “secret” and “zabbix” is the path) and, in case of Vault macros, a colon can only be used to separate a path/query from a key. It is possible to URL-encode “/“ and “:” if there is a need to create a mount point with the name that is separated by a forward slash (e.g. foo/bar/zabbix, where the mount point is “foo/bar” and the path is “zabbix”, as “foo%2Fbar/zabbix”) and if a mount point name or path need to contain a colon.

    Example

    In Zabbix: add user macro {$PASSWORD} with type Vault secret and value

    Run the following CLI commands to create required secret in the vault: