Vault Configuration¶
The vault plugin integrates DRP with HashiCorp Vault as a secure parameter store. DRP parameters
can reference secrets stored in Vault KV engines using a URI-based lookup scheme instead of
holding plaintext values. The plugin supports both KV v1 and KV v2 engines and uses token-based
authentication.
Installation¶
The plugin requires drp-community-content version 4.8.0 or later and the more-external-secrets
license feature.
Plugin Parameters¶
Configure these parameters on the vault plugin object:
| Parameter | Description | Required |
|---|---|---|
vault/address |
Full URL of the Vault server (e.g., https://vault.example.com:8200) |
Yes |
vault/token |
Vault authentication token | Yes |
vault/kv-version |
KV engine version: v1 or v2 (default: v2) |
No |
vault/kv-mount |
Mount path of the KV engine (default: secret for v2, kv for v1) |
No |
vault/token-short-lived |
If true, re-read the token from DRP on every Vault call |
No |
vault/ca-cert |
PEM-format CA certificate for TLS validation (for self-signed Vault certs) | No |
vault/insecure-tls |
If true, skip TLS certificate validation — use only in test environments |
No |
vault/cache-timeout |
Seconds to cache secrets in memory to reduce Vault API calls | No (default: 300) |
Plugin Creation¶
drpcli plugins create '{
"Name": "my-vault",
"Provider": "vault",
"Params": {
"vault/address": "https://vault.example.com:8200",
"vault/token": "s.your-vault-token",
"vault/kv-version": "v2",
"vault/cache-timeout": 300
}
}'
For Vault instances using a self-signed certificate, provide the CA certificate:
drpcli plugins update Name:my-vault '{"Params": {"vault/ca-cert": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"}}'
Using Secrets in Parameters¶
Set the decrypt/lookup-uri on a machine parameter to reference a secret in Vault:
# Store an IPMI password reference (secret stays in Vault)
drpcli machines set Name:my-server param ipmi/password to \
'{ "LookupUri": "vault://foo?path=hello" }'
# Retrieve and decrypt the secret
drpcli machines get Name:my-server param ipmi/password --decode
The URI format is: vault://<key-to-lookup>?path=<path-to-secret>
<key-to-lookup>— The key name within the Vault secret (e.g.,foofor a secret with keyfoo).path=<path>— The path to the secret in the KV store.
KV Version Path Formatting¶
Path formatting differs between KV versions:
- KV v2: Omit the mount prefix from the path. For a secret at
secret/data/servers/prod, usepath=servers/prod. - KV v1: Use the full path including the mount. For a secret at
kv/servers/prod, usepath=kv/servers/prod.
To determine which version your Vault KV engine uses:
Short-Lived Tokens¶
When vault/token-short-lived is true, the plugin re-reads the vault/token parameter from
DRP on every secret lookup instead of caching it. This is useful when the token itself is managed
by another DRP secret store plugin (e.g., the token is stored in cmdvault and rotated
frequently).
Template Expansion¶
The URI supports DRP parameter template expansion for machine-specific lookups: