Skip to content


The vault plugin allows you to get secrets from Vault. This is an alternate to the local secrets storage that comes with the server.

Plugin Configuration

The following is needed to set up this Vault plugin

  • vault/token - A token used to connect to Vault
  • vault/address - The address where Vault is running

In addition to this you can also configure a local cache timeout. We store the secrets from vault temporarily in memory. This will keep the vault server from getting overloaded with too many requests. This value is provided in seconds and by default we set it to 300 seconds

  • vault/cache-timeout - An optional value for how long secrets are cached in-memory

Operational Configuration

In addition to the plugin configuration above, you will also need a lookupUri that denotes where the secret is stored.

  • decrypt/lookup-uri - A URI that represents the location of the secret. This is made up of three parts:

    • ://?path=
    • vault://foo?path=location_of_foo
    • For version 1 it needs to be the complete path. So it your secret is stored at kv/my-secret then your path will be kv/my-secret.
    • For Version 2 it should be the path without the /secret so if your secret is located at /secret/foo/creds then the path has to be /foo/creds


The path-to-secret changes based on the Vault KV secrets engine version.


Once the plugin configuration and operational configuration are complete, you can use the plugin as follows

# set a machine ipmi password to a vault secret
drpcli machines set Name:foo param ipmi/password to '{ "LookupUri": "vault://key?path=path&format=json" }'

# get machine ipmi password
drpcli machines get Name:foo param ipmi/password --decrypt