Hashicorp

Updated
  • Updated on Oct 27, 2025
  • Published on Oct 27, 2025
  • 1 minute(s) read
Prev Next

The HashiCorp Vault Store allows secure retrieval of secrets from a Vault instance, supporting both token-based and Kubernetes authentication. This store is ideal for organizations already using Vault to manage sensitive credentials such as private keys, OAuth secrets, or database passwords. Configuration supports flexible path structuring and secure access control.

HashiCorp Vault Secret Store-specific Parameters

The following parameters are required to configure the HashiCorp Vault Secret Store:

Parameter Value Description
details.skipVerify true Indicates whether to prefix the Secret Store URL with https:// or http://.
details.url The Secret store URL.
details.timeout 3s The timeout value for connecting to the Secret store.
details.enginePath secret Specifies the root folder in the HashiCorp Vault Engine from which the Secret Management Service should access Secrets.

Note: When configuring Vault information in the Scope in the Scope Details in the Environment Settings for JWT signing, do not include the enginePath in the Path to Key parameter.
details.pathPrefix environments/production The prefix for all paths when accessing Secrets in this store.
auth Authentication details for accessing the Secret store. Add relevant Attributes based on the auth.method (Kubernetes or Token).
auth.method Kubernetes The authentication method used for accessing the Secret store. Available methods:
- Kubernetes
- Token
auth.path used for Kubernetes File path for the Kubernetes authorization value.
auth.role used for Kubernetes Vault authorization role name.
auth.tokenValue used for token The token value used for authentication when accessing the Secret store.
auth.tokenFilePath used for token File path holding the token.

Example

The following example is based on the general store and store-specific parameters.

secretStore:
  - id: hashicorp-vault
    type: Vault
    isDefault: true
    decoder: Base64
    details:
      url: https://vault.example.com
      defaultPath: secret/data/
      enginePath: kv
      pathPrefix: myapp/
      timeout: 5s
      skipVerify: false
    auth:
      method: Token
      tokenValue: s.1234567890abcdef
#    tokenFileName: ${VAULT_TOKEN}  # Optional: path to file containing the token
#
#  auth:
#    method: Kubernetes
#    path: /var/run/secrets/kubernetes.io/serviceaccount/token
#    role: secrets-role