ยปVault
vault (configsourcer)
Read configuration values from Vault.
Examples
Required Parameters
These parameters are used in dynamic
for sourcing configuration values or input variable values.
key
The key name that exists at the specified Vault path
parameter.
The value can be a direct key such as password
or it can be a JSON pointer string to retrieve a nested value. When using the Vault KV Version 2 secret backend, the key must be prefixed with an additional string of /data
. For example, /data/password
. When using the Vault KV Version 1 secret backend, the key can be a direct key name such as password
. This is because the Vault KV API returns different data structures in its response depending on the Vault KV version the key is stored in. Therefore, the /data
prefix is required for keys stored in the Vault KV Version 2
secret backend in order to retrieve its nested value using JSON pointer string.
- Type: string
path
The Vault path to read the secret.
Within a single application, multiple dynamic values that use the same path will only read the value once. This allows multiple keys from a single secret to be extracted into multiple values. The example above shows this functionality by reading the username and password into separate values. When using the Vault KV secret backend, the path is usually <mount>/data/<key>
. For example, if you wrote data with vault kv put secret/myapp
then the key for Waypoint must be secret/data/myapp
. This can be confusing but is caused by the fact that the Vault API is what Waypoint uses and the Vault CLI does this automatically for KV.
- Type: string
Optional Parameters
This plugin has no optional parameters.
Source Parameters
The parameters below are used with waypoint config source-set
to configure
the behavior this plugin. These are not used in dynamic
calls. The
parameters used for dynamic
are in the previous section.
Required Source Parameters
This plugin has no required source parameters.
Optional Source Parameters
addr
The address to the Vault server.
If this is not set, the VAULT_ADDR environment variable will be read.
- Type: string
- Optional
- Environment Variable: VAULT_ADDR
agent_addr
The address to the Vault agent.
If this is not set, Vault agent will not be used. This should only be set if you're deploying to an environment with a Vault agent.
- Type: string
- Optional
- Environment Variable: VAULT_AGENT_ADDR
approle_role_id
The role ID of the approle auth method to use for Vault.
This is required for the approle
auth method.
- Type: string
- Optional
approle_secret_id
The secret ID of the approle auth method to use for Vault.
This is required for the approle
auth method.
- Type: string
- Optional
auth_method
The authentication method to use for Vault.
This can be one of: aws
, approle
, kubernetes
, gcp
. When this is set, configuration fields prefixed with the auth method type should be set, if required. Configuration fields prefixed with non-matching auth method types will be ignored (except for type validation). If no auth method is set, Vault assumes proper environment variables are set for Vault to find and connect to the Vault server. When this is set, auth_method_mount_path
is required.
- Type: string
- Optional
auth_method_mount_path
The path where the configured auth method is mounted in Vault.
This is required when auth_method
is set.
- Type: string
- Optional
aws_access_key
The access key to use for authentication to the IAM service, if needed.
This usually isn't needed since IAM instance profiles are used.
- Type: string
- Optional
aws_credential_poll_interval
The interval in seconds to wait before checking for new credentials.
- Type: int
- Optional
- Default: 60
aws_header_value
The value to match the iam_server_id_header_value
if set.
- Type: string
- Optional
aws_region
The region for the STS endpoint when using that method of auth.
- Type: string
- Optional
- Default: us-east-1
aws_role
The role to use for AWS authentication.
This is required for the aws
auth method. This depends on how you configured the Vault AWS Auth Method.
- Type: string
- Optional
aws_secret_key
The secret key to use for authentication to the IAM service, if needed.
This usually isn't needed since IAM instance profiles are used.
- Type: string
- Optional
aws_type
The type of authentication to use for AWS: either iam
or ec2
.
This is required for the aws
auth method. This depends on how you configured the Vault AWS Auth Method.
- Type: string
- Optional
ca_cert
The path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
- Type: string
- Optional
- Environment Variable: VAULT_CACERT
ca_path
The path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
- Type: string
- Optional
- Environment Variable: VAULT_CAPATH
client_cert
The path to a PEM-encoded certificate to present as a client certificate.
This only needs to be set if Vault is configured to expect a client cert.
- Type: string
- Optional
- Environment Variable: VAULT_CLIENT_CERT
client_key
The path to a private key for the client cert.
This only needs to be set if Vault is configured to expect a client cert.
- Type: string
- Optional
- Environment Variable: VAULT_CLIENT_KEY
gcp_credentials
When using static credentials, the contents of the JSON credentials file.
- Type: string
- Optional
gcp_jwt_exp
The number of minutes a generated JWT should be valid for when using the iam method.
- Type: int
- Optional
- Default: 15
gcp_project
The project to use, only if it cannot be automatically determined.
- Type: string
- Optional
gcp_role
The role to use for GCP authentication.
This is required for the gcp
auth method. This depends on how you configured the Vault GCP Auth Method.
- Type: string
- Optional
gcp_service_account
The service account to use, only if it cannot be automatically determined.
- Type: string
- Optional
gcp_type
The type of authentication; must be gce
or iam
.
This is required for the gcp
auth method. This depends on how you configured the Vault GCP Auth Method.
- Type: string
- Optional
kubernetes_role
The role to use for Kubernetes authentication.
This is required for the kubernetes
auth method. This is a role that is setup with the Kubernetes Auth Method in Vault.
- Type: string
- Optional
kubernetes_token_path
The path to the Kubernetes service account token.
In standard Kubernetes environments, this doesn't have to be set.
- Type: string
- Optional
- Default: /var/run/secrets/kubernetes.io/serviceaccount/token
namespace
Default namespace to operate in if you're using Vault namespaces.
- Type: string
- Optional
- Environment Variable: VAULT_NAMESPACE
skip_verify
Do not validate the TLS cert presented by the Vault server.
This is not recommended unless absolutely necessary.
- Type: bool
- Optional
- Environment Variable: VAULT_SKIP_VERIFY
tls_server_name
The TLS server name to verify with the Vault server.
- Type: string
- Optional
- Environment Variable: VAULT_TLS_SERVER_NAME
token
The token to use for communicating to Vault.
If you're using a Vault Agent or an auth_method
, this may not be necessary. If you're using an auth_method
, this may still be necessary as a minimal token with access to the auth method, but usually these are not protected.
- Type: string
- Optional
- Environment Variable: VAULT_TOKEN