This article is to help to migrate Hashicorp vaults’ secret into the Okta Privileged Access vault. This solution is provided as a guide and it can be further enhanced or extended to use for any other third party vault.
The given tool is developed in java using Spring Boot framework. This tool has a property file which requires environment details for Okta Privileged Access and Hashicorp Vault to migrate the secrets.
- Use Case Overview
- Tool Execution Steps
Use Case Overview:
This solution (tool) is to migrate Generic/shared secrets, currently stored in the Hashicorp vault, to the Okta Privileged Access vault. Hashicorp has a secret engine concept which holds the secrets with Key value pairs whereas the Okta Privileged Access vault holds secrets in a folder as key value pairs. This tool will create secret folders in Okta Privileged Access for each secret engine in Hashicorp and then create all the secrets in their respective folders.
This solution will help with secret migration and eliminate the risks of exporting current secrets from Hashicorp in a static file.
Note: Java code can be downloaded from Github.
Tool Execution Steps:
Prerequisite:
- Java runtime (1.8.x)
- Maven to build and compile the code
- Okta Privileged Access Service Account Details (account creation covered in the Preparation steps section below)
- Hashicorp Token to read secret engines and secrets
Preparation steps:
- Login to Okta Dashboard and click on Okta Privileged Access chicklet
- Navigate to Users → Service Users and click on Create Service User
- Enter Service Username as an input and click on “Create Service User”
- Create API Key and copy the API Key ID and API Key Secret and store in a temp file.
Note: The Okta Privileged Access Service User must be deleted, or the Key ID and Key Secret expired, after you finish the migration so you don’t leave an orphan service account that could be compromised.
- Create a Secrets Folder in Okta Privileged Access and write a policy to enforce full access to the members of the group attached to the policy. This folder will be the parent folder for all the folders created as child folders and secrets migrated from the Hashicorp vault. It could be a top-level folder or a subfolder.
- Assign the new service user as a member of the group assigned to manage the folder
- Copy Okta Privileged Access folder id created above, relevant Resource Group ID and Project ID as follows:
- Navigate to Okta Privileged Access console and click on Secrets on the left navigation bar. (Make sure the user you logged with has permission to access the secret folder.
- Click on the folder for migration then capture the details as highlighted from the browser address bar.
- Download the Java code from Github.
- Search for a file called as “application-dev.properties” file and open in a notepad to edit and provide the respective values. Ideally it should be located to the folder /OPASecretMigration/src/main/resources (assuming you downloaded the code into OPASecretMigration folder)
| Key | Value |
| Okta Environment details | |
| register.oktapam.host | https://<<Okta Subdomain>>.pam.oktapreview.com OR https://<<Okta Subdomain>>.pam.okta.com |
| register.oktapam.apiuri | /v1/teams/<<PAM Team Name>> |
| register.oktapam.clientID | <<OPA Service user Key ID>> |
| register.oktapam.clientSecret | <<OPA Service user Key Secret>> |
| register.oktapam.resourceGroupId | <<Resource Group ID>> |
| register.oktapam.projectId | <<Project ID>> |
| register.oktapam.parentSecretFolderId | <<Secret Folder ID where child folder will be created and Secret will be migrated>> |
| register.oktapam.secretFolderDesc | Migrated from Hashicorp vault |
| Hashicorp Environment Details | |
| register.hashicorp.host | <<Host IP>> |
| register.hashicorp.port | <<Vault Service Port>> |
| register.hashicorp.scheme | http |
| register.hashicorp.token | <<Hashicorp token to read all secret engines and its metadata>> |
| register.hashicorp.secretengine | <<Comma separated Secret engines name>> |
- Once all value has been populated as per table above you can build and run the migration tool as follows:
- Navigate to root folder of the Java code example: /OPASecretMigration (assuming you downloaded the code into OPASecretMigration folder)
- open command shell
- Execute: “mvn clean”
- Execute: “mvn install”
- Execute: “mvn package”
- Execute: “java -jar target/OPASecretMigration-0.1.jar to start migration
Logging/Troubleshooting
To help with runtime operational problems, code debugging and troubleshooting activities, I have used the Simple Logging Facade for Java (SLF4J) framework to log the runtime exceptions,errors or execution information. There is no need to download or install any library. Maven will resolve library dependency and other dependent libraries during code compilation and build.
By default debug level is set to INFO and log output file path is set to /tmp folder.
To set a desired name and path for log file and set the log level, search for a file called as “logback.xml” file and open in a notepad to edit and provide the respective values. Ideally it should be located to the folder /OPASecretMigration/src/main/resources (assuming you downloaded the code into OPASecretMigration folder)
To set the output file path and filename change the value for below xml tags.
- <File>/tmp/logs/OPASecretServices.log</File>
- <FileNamePattern>/tmp/logs/OPASecretServices.log.%i</FileNamePattern> (Do not remove or make changes to the expression value ‘.%i’)
To change the debug level from ‘INFO’ to ‘DEBUG’ to get more details, change the value for below xml tags and replace ‘INFO’ to ‘DEBUG’
- < <logger name=“com.pat” level=“INFO”/>
- <root level=“INFO”>

IAMSE