Skip to content
Concourse resource to fetch secrets from Vault on an EC2 instance.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Vault Resource

Reads secrets from Vault. Authentication is done (by default) using the aws-ec2 method, which must be configured before using this resource. It can also use the AppRole method to authenticate.

Source Configuration

  • url: Optional. The location of the Vault server. Defaults to https://vault.service.consul:8200.

  • role: Optional. The role to authenticate as. Defaults to concourse.

  • nonce: Optional. Client nonce whitelisted by Vault for this EC2 auth. Defaults to vault-concourse-nonce, which should probably be changed.

  • paths: Optional. If specified (as a list of glob patterns), only changes to the specified files will yield new versions from check.

  • expose_token: Optional. If specified, this option will expose the token to make it available to other resources

  • auth_method: Optional. By default will use the aws-ec2 method. If AppRole is specified, it will read the role_id and secret_id parameter to authenticate on the approle endpoint.

  • role_id: Optional. Use a specific role id to authenticate. This parameter is used only with auth_method: AppRole.

  • secret_id: Optional. Use a specific secret id to authenticate. This parameter is used only with auth_method: AppRole.

  • tls_skip_verify: Optional. Skips Vault SSL verification by exporting VAUKT_SKIP_VERIFY=1.


Resource configuration using aws-ec2 authentication:

- name: vault
  type: vault
    role: build-server
    nonce: cantguessme

Resource configuration using AppRole authentication:

- name: vault
  type: vault
    auth_method: AppRole
    role_id: e6889709-5ff8-c670-a083-79f1c5035709
    secret_id: e6889709-5ff8-c670-a083-79f1c5035709

Fetching secrets:

- get: vault
      - secret/build/git
      - secret/build/aws/s3


check: Check for new versions.

Essentially a noop, the current date is always returned as {"date": "$DATE"}

in: Read secrets from Vault

Reads secrets from Vault and stores them on disk as JSON files.

The path of the secret will match the path on disk - ie in the example above, vault/build/git.json and vault/build/aws/s3.json will be created.


  • paths: Required. List of paths to read from the Vault secret mount.
You can’t perform that action at this time.