Skip to content
An InSpec input source plugin for HashiCorp Vault
Ruby Shell PowerShell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib Bump version to 0.3.2 by Chef Expeditor Sep 13, 2019
test Linting Sep 11, 2019
.gitignore Windows support during integration testing Aug 26, 2019 Update to reflect the promotion of 0.3.2 Sep 13, 2019 Github template tweaking, and DCO and COC Feb 13, 2019 Github template tweaking, and DCO and COC Feb 13, 2019
LICENSE Initial plugin codegen Feb 13, 2019 Add experimental warnings to README Sep 13, 2019
Rakefile Add a sleep after starting vault to ensure it is up prior to seeding Sep 11, 2019
VERSION Bump version to 0.3.2 by Chef Expeditor Sep 13, 2019
inspec-vault.gemspec Add gemspec dep on vault gem Aug 22, 2019

inspec-vault Plugin

This is a plugin for Chef InSpec that allows Inputs to be read from HashiCorp Vault.

  • Project State: Active (but EXPERIMENTAL)
  • Issues Response SLA: 3 business days
  • Pull Request Response SLA: 3 business days

For more information on project states and SLAs, see this documentation.

Notice - Experimental Project

This Chef InSpec plugin is in the early stages of research and development. Functionality may be defective, incomplete, or be withdrawn in the future. If you are interested in helping this project mature, please join the conversation or contribute code at the inspec-vault project.

To Install This Plugin

Assuming it has been published to RubyGems, you can install this gem using:

you@machine $ inspec plugin install inspec-vault

Loading Secrets into Vault

A full introduction to Vault is beyond the scope of this document, but begin by downloading a recent version from . Then, start a Vault dev-mode server with the following command:

$ vault server -dev

From there, you can then store an input. For example, look at the command below to store an input named my_input with the value of 2, for the my_profile profile. Once entered, Vault responds with metadata about the entry.

[cwolfe@lodi inspec-vault]$ vault kv put secret/inspec/my_profile my_input=2
Key              Value
---              -----
created_time     2019-09-10T17:54:16.237055Z
deletion_time    n/a
destroyed        false
version          1

With that value stored, Chef InSpec will now be able to retrieve the value.

What This Plugin Does

With the inspec-vault plugin enabled, Chef InSpec will contact the Vault server whenever an input() DSL call appears in profile control code. For example, whenever profile code like this is encountered:

# In profile "my_profile"
describe input("some_input") do
  it { should cmp "some_expected_value" }

Chef InSpec will determine a secret lookup path and access Vault. With no other settings, Chef InSpec will look for a Vault secret located at secret/inspec/my_profile with a key named "some_input". Chef InSpec will use the Vault secret if found, but otherwise it will fall back to other means of resolving the input, such as the profile metadata or CLI values.

Configuring the Plugin

Each plugin option may be set either as an environment variable, or as a plugin option in your Chef InSpec configuration file at ~/.inspec/config.json. For example, to set the prefix_path option in the config file, lay out the config file as follows:

  "version": "1.2",

Config file option names are always lowercase.

This plugin supports the following options:



A string that indicates where the key-value path should begin; default value is "secret". The path is constructed as <mount_point>/data/<path_prefix>/<profile_name>.



A string that indicates the latter portion of the key-value path; default value is "inspec". The path is constructed as <mount_point>/data/<path_prefix>/<profile_name>.



A number between 0 and 100, default 60. When two input provides both provide a value for the same input name, the priority determines which providers' value is used, with the higher priority prevailing. Core Chef InSpec providers only range up to 50, so inspec-vault will (by default) override any other input provider.



This environment variable is the URL and port of your Vault installation. Default is


This value is the secret used to authenticate to Vault. Required, no default provided.

Developing This Plugin

Please have a look at our for general guidelines.


Run bundle exec rake test:lint for linting, bundle exec rake test:unit for unit tests, and bundle exec rake test:integration for integration tests.

Note that integration tests will download and run Vault server locally.

You can’t perform that action at this time.