Reads secrets from Vault. This resource supports KV1 and KV2 and can check for new versions or specific versions if using KV2.
-
vault_addr: Required. The location of the Vault server.https://vault.example.com:8200. -
vault_token: Required. if secret_id and role_id are not set The token to use for authentication.abc123f4k3T0k3n!&. -
vault_paths: Required. A list of paths:version to secrets in vault. You can place this in the source configuration or you may pass it a parameter when fetching the resource.
vault_paths:
path/to/secret: -1 # -1 means latest
path/to/secret/w/version: 1 # grab version 1AppRole Authentication
-
role_name: Optional. If set,vault_tokenis required. Resource will use thevault_tokenandrole_nameto obtain arole_idandsecret_idand use that to authenticate the approle. -
role_id: Optional. The role_id to authenticate with. Must be used withsecret_id. -
secret_id: Optional. The secret_id to authenticate with. must be used withrole_id
General Parameters
-
debug: Optional. Print debug information. Will not expose secrets -
format: Optional. Choose output format of eitherjsonoryaml. Default:json -
prefix: Optional. Prepends a prefix to the secret key -
retries: Optional. The amount of retries. Default: 3 -
upcase: Optional. Converts all secret keys to UPPERCASE -
sanitize: Optional. Converts dots and dashes in a secret key to underscores -
vault_insecure: Optional. Skips Vault SSL verification
Resource configuration
resource_types:
- name: vault
type: docker-image
source:
repository: hub.example.com/foo/concourse-vault-resource
tag: latest
resources:
- name: vault
type: vault
source:
vault_addr: https://vault.example.com:8200
vault_token: {{token}}Resource configuration with AppRole
resource_types:
- name: vault
type: docker-image
source:
repository: hub.example.com/foo/concourse-vault-resource
tag: latest
resources:
- name: vault
type: vault
source:
vault_addr: https://vault.example.com:8200
vault_token: {{token}}
role_name: atu_vault-admins_approleResource configuration with AppRole using role_id and secret_id
resource_types:
- name: vault
type: docker-image
source:
repository: hub.example.com/foo/concourse-vault-resource
tag: latest
resources:
- name: vault
type: vault
source:
vault_addr: https://vault.example.com:8200
role_id: 123456zzxROLE_IDjhdjkfafpfwefwa
secret_id: faffdsfafdSECRET_IDdsfsdfadfdFetching secrets:
- get: vault
params:
vault_paths:
# KV1 Engine Test
secret/foo: -1
# KV2 Engine Test
kv2/data/foo/bar: 2Reads secrets from Vault and stores them in /opt/resource/secrets as JSON or YAML.