The vault plugin allows you to get secrets from Vault. This is an alternate to the local secrets storage that comes with the server.
The following is needed to set up this Vault plugin
vault/token- A token used to connect to Vault
vault/address- The address where Vault is running
In addition to this you can also configure a local cache timeout. We store the secrets from vault temporarily in memory. This will keep the vault server from getting overloaded with too many requests. This value is provided in seconds and by default we set it to 300 seconds
vault/cache-timeout- An optional value for how long secrets are cached in-memory
In addition to the plugin configuration above, you will also need a lookupUri that denotes where the secret is stored.
decrypt/lookup-uri- A URI that represents the location of the secret. This is made up of three parts:
- For version 1 it needs to be the complete path. So it your secret is stored at
kv/my-secretthen your path will be
- For Version 2 it should be the path without the
/secretso if your secret is located at
/secret/foo/credsthen the path has to be
path-to-secret changes based on the Vault KV secrets engine version.
Once the plugin configuration and operational configuration are complete, you can use the plugin as follows