» Vault
» vault (configsourcer)
Read configuration values from Vault.
» Examples
» Required Parameters
These parameters are used in dynamic
for sourcing configuration values or input variable values.
» key
The key name that exists at the specified Vault path
parameter.
The value can be a direct key such as password
or it can be a JSON pointer string to retrieve a nested value. When using the Vault KV Version 2 secret backend, the key must be prefixed with an additional string of /data
. For example, /data/password
. When using the Vault KV Version 1 secret backend, the key can be a direct key name such as password
. This is because the Vault KV API returns different data structures in its response depending on the Vault KV version the key is stored in. Therefore, the /data
prefix is required for keys stored in the Vault KV Version 2
secret backend in order to retrieve its nested value using JSON pointer string.
- Type: string
» path
The Vault path to read the secret.
Within a single application, multiple dynamic values that use the same path will only read the value once. This allows multiple keys from a single secret to be extracted into multiple values. The example above shows this functionality by reading the username and password into separate values. When using the Vault KV secret backend, the path is usually <mount>/data/<key>
. For example, if you wrote data with vault kv put secret/myapp
then the key for Waypoint must be secret/data/myapp
. This can be confusing but is caused by the fact that the Vault API is what Waypoint uses and the Vault CLI does this automatically for KV.
- Type: string
» Optional Parameters
This plugin has no optional parameters.
» Source Parameters
The parameters below are used with waypoint config source-set
to configure
the behavior this plugin. These are not used in dynamic
calls. The
parameters used for dynamic
are in the previous section.
» Required Source Parameters
This plugin has no required source parameters.
» Optional Source Parameters
» addr
The address to the Vault server.
If this is not set, the VAULT_ADDR environment variable will be read.
- Type: string
- Optional
» agent_addr
The address to the Vault agent.
If this is not set, Vault agent will not be used. This should only be set if you're deploying to an environment with a Vault agent.
- Type: string
- Optional
» auth_method
The authentication method to use for Vault.
This can be one of: aws
, kubernetes
. When this is set, configuration fields prefixed with the auth method type should be set, if required. Configuration fields prefixed with non-matching auth method types will be ignored (except for type validation). If no auth method is set, Vault assumes proper environment variables are set for Vault to find and connect to the Vault server. When this is set, auth_method_mount_path
is required.
- Type: string
- Optional
» auth_method_mount_path
The path where the configured auth method is mounted in Vault.
This is required when auth_method
is set.
- Type: string
- Optional
» aws_access_key
The access key to use for authentication to the IAM service, if needed.
This usually isn't needed since IAM instance profiles are used.
- Type: string
- Optional
» aws_credential_poll_interval
The interval in seconds to wait before checking for new credentials.
- Type: int
- Optional
- Default: 60
» aws_header_value
The value to match the iam_server_id_header_value
if set.
- Type: string
- Optional
» aws_region
The region for the STS endpoint when using that method of auth.
- Type: string
- Optional
- Default: us-east-1
» aws_role
The role to use for AWS authentication.
This is required for the aws
auth method. This depends on how you configured the Vault AWS Auth Method.
- Type: string
- Optional
» aws_secret_key
The secret key to use for authentication to the IAM service, if needed.
This usually isn't needed since IAM instance profiles are used.
- Type: string
- Optional
» aws_type
The type of authentication to use for AWS: either iam
or ec2
.
This is required for the aws
auth method. This depends on how you configured the Vault AWS Auth Method.
- Type: string
- Optional
» ca_cert
The path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
- Type: string
- Optional
» ca_path
The path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
- Type: string
- Optional
» client_cert
The path to a PEM-encoded certificate to present as a client certificate.
This only needs to be set if Vault is configured to expect a client cert.
- Type: string
- Optional
» client_key
The path to a private key for the client cert.
This only needs to be set if Vault is configured to expect a client cert.
- Type: string
- Optional
» gcp_credentials
When using static credentials, the contents of the JSON credentials file.
- Type: string
- Optional
» gcp_jwt_exp
The number of minutes a generated JWT should be valid for when using the iam method.
- Type: int
- Optional
- Default: 15
» gcp_project
The project to use, only if it cannot be automatically determined.
- Type: string
- Optional
» gcp_role
The role to use for GCP authentication.
This is required for the gcp
auth method. This depends on how you configured the Vault GCP Auth Method.
- Type: string
- Optional
» gcp_service_account
The service account to use, only if it cannot be automatically determined.
- Type: string
- Optional
» gcp_type
The type of authentication; must be gce
or iam
.
This is required for the gcp
auth method. This depends on how you configured the Vault GCP Auth Method.
- Type: string
- Optional
» kubernetes_role
The role to use for Kubernetes authentication.
This is required for the kubernetes
auth method. This is a role that is setup with the Kubernetes Auth Method in Vault.
- Type: string
- Optional
» kubernetes_token_path
The path to the Kubernetes service account token.
In standard Kubernetes environments, this doesn't have to be set.
- Type: string
- Optional
- Default: /var/run/secrets/kubernetes.io/serviceaccount/token
» namespace
Default namespace to operate in if you're using Vault namespaces.
- Type: string
- Optional
» skip_verify
Do not validate the TLS cert presented by the Vault server.
This is not recommended unless absolutely necessary.
- Type: bool
- Optional
» tls_server_name
The TLS server name to verify with the Vault server.
- Type: string
- Optional
» token
The token to use for communicating to Vault.
If you're using a Vault Agent or an auth_method
, this may not be necessary. If you're using an auth_method
, this may still be necessary as a minimal token with access to the auth method, but usually these are not protected.
- Type: string
- Optional