Configure Artifactory for Hashicorp Vault

JFrog Integrations Documentation
Content Type
Integrations
ft:sourceType
Paligo

  1. Log into the JFrog Platform UI as "admin".

  2. Create the Access Token that Vault will use to interact with Artifactory. Or use the . See get-access-key.sh in Terraform Artifactory Provider.

    Click JFrog Platform UI | User Management | Access Tokens | Generate Token.

    Use the following parameters.

    • Token Type: Scoped Token

    • Description: (optional) vault-plugin-secrets-artifactory (Note: This will be lost on admin token rotation, because it is not part of the token.)

    • Username: vault-admin (for example)

    • Service: Artifactory (or you can leave it on "All")

    • Expiration time: Never (do not set the expiration time less than 7h, since by default, it will not be revocable once the expiration is less than 6h)

  3. Save the generated token as the environment variable TOKEN.

Alternatively:

  • Use the Create Token REST API, and save the access_token from the JSON response as the environment variable TOKEN.Create Token

  • Use getArtifactoryAdminToken.sh.

    export JFROG_URL=https://artifactory.example.org
export ARTIFACTORY_USERNAME=admin
export ARTIFACTORY_PASSWORD=password
TOKEN=$(scripts/getArtifactoryAdminToken.sh)

Vault Configuration

vault write artifactory/config/admin \
    url=https://artifactory.example.org \
    access_token=$TOKEN

Optionally, rotate the admin token, so that only vault knows it.

vault write -f artifactory/config/rotate

Note

Some versions of Artifactory (notably 7.39.10) fail to rotate correctly. We recommend being on 7.42.1 or higher.

Also, if you want to change the username for the admin token (tired of it just being "admin"?) or set a "Description" on the token, those parameters are optionally available on the artifactory/config/rotate endpoint.

vault write artifactory/config/rotate username="new-username" description="A token used by vault-secrets-engine on our vault server"`

Bypass TLS connection verification with Artifactory

To bypass TLS connection verification with Artifactory, set bypass_artifactory_tls_verification to true.

vault write artifactory/config/admin \
    url=https://artifactory.example.org \
    access_token=$TOKEN \
    bypass_artifactory_tls_verification=true

Optionally, check the results.

vault read artifactory/config/admin

Sample Output

Key                                 Value
---                                 -----
access_token_sha256                 74834a86b2082750201e2a1e520f21f7bfc7d4026e5bd2b075ca2d0699b7c4e3
bypass_artifactory_tls_verification false
scope                               applied-permissions/admin
token_id                            db0002b0-af08-486c-bbad-b255a3cc7b31
url                                 http://localhost:8082
use_expiring_tokens                 false
username                            vault-admin
version                             7.55.6