Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Vault secret manager plugin

This is a GoCD Secrets plugin which allows users to use Vault as a secret manger for the GoCD server.

The plugin supports Version 2 of KV Secrets Engine.

Table of Contents

Setup Vault using docker

  1. Run following command to start docker container for vault
docker run --cap-add=IPC_LOCK -e VAULT_DEV_ROOT_TOKEN_ID=some-token -p8200:8200  -d --name=dev-vault vault:latest
  1. Once container is up and running exec to container in order to create secrets
export VAULT_ADDR=''
export VAULT_TOKEN='some-token'

The above environment variables are used by vault client to connect to the vault server.

  1. Create secret
export BASE_PATH='secret/gocd'
    AWS_SECRET_KEY=asdsfksfhkdfgfhfghhg; \

Configure the plugin

The plugin needs to be configured with a secret config in order to connect to Vault. The configuration can be added from the Secrets Management page under Admin > Secret Management.

Alternatively, the configuration can be added directly to the config.xml using the configuration.

    <secretConfig id="vault" pluginId="com.thoughtworks.gocd.secretmanager.vault">
      <description>All secrets for env1</description>
          <allow action="refer" type="environment">env_*</allow>
          <deny action="refer" type="pipeline_group">my_group</deny>
          <allow action="refer" type="pipeline_group">other_group</allow>

<rules> tag defines where this secretConfig is allowed/denied to be referred. For more details about rules and examples refer the GoCD Secret Management documentation

Field Required Description
VaultUrl Yes The url of the Vault server instance. If no address is explicitly set, the plugin will look to the VAULT_ADDR environment variable.
VaultPath Yes The vault path which holds the secrets as key-value pair (e.g. secret/gocd)
ConnectionTimeout No The number of seconds to wait before giving up on establishing an HTTP(s) connection to the Vault server. If no openTimeout is explicitly set, then the object will look to the VAULT_OPEN_TIMEOUT environment variable. Defaults to 5 seconds.
ReadTimeout No Once connection has already been established, this is the number of seconds to wait for all data to finish downloading. If no readTimeout is explicitly set, then the object will look to the VAULT_READ_TIMEOUT environment variable. Defaults to 30 seconds.
ServerPem No An X.509 certificate, in unencrypted PEM format with UTF-8 encoding to use when communicating with Vault over HTTPS
AuthMethod Yes The auth method to use to authenticate with the Vault server, can be one of token, approle or cert
Token No Required if using token auth method. This is the token used to read secrets from Vault. Ensure this token has a longer ttl, the plugin will not be renewing the token.
RoleId No Required if using approle auth method. The plugins will use the configured RoleId and SecretId to authenticate with Vault.
SecretId No Required if using approle auth method.
ClientKeyPem No Required if using cert auth method. An RSA private key, in unencrypted PEM format with UTF-8 encoding.
ClientPem No Required if using cert auth method. An X.509 client certificate, in unencrypted PEM format with UTF-8 encoding.
Max Retries No Number of times to attempt to gather secrets from Vault. Defaults to 0.
Retry Interval Milliseconds No Duration between retry attempts (set by Max Retries). Defaults to 100 milliseconds.

Building the code base

To build the jar, run ./gradlew clean test assemble


Enable Debug Logs

If you are on GoCD version 19.6 and above:

Edit the file wrapper-properties.conf on your GoCD server and add the following options. The location of the wrapper-properties.conf can be found in the installation documentation of the GoCD server.

# We recommend that you begin with the index `100` and increment the index for each system property

If you're running with GoCD server 19.6 and above on docker using one of the supported GoCD server images, set the environment variable GOCD_SERVER_JVM_OPTIONS:

docker run -e "" ...

The plugin logs are written to LOG_DIR/plugin-com.thoughtworks.gocd.secretmanager.vault.log. The log dir

  • on Linux is /var/log/go-server
  • on Windows are written to C:\Program Files\Go Server\logs
  • on docker images are written to /godata/logs