Skip to content


Repository files navigation

DBeaver Vault plugin

Provides database credentials using Vault dynamic secrets.

Vault login is not handled by this plugin.

You should manually log in into Vault, which will, using the default Token Helper, create a Vault token file in $HOME/.vault-token. Check another Vault Token Helper with support for native secret storage on macOS, Linux, and Windows.

The recommended way to use this plugin is with a Vault Agent, with Auto-Auth and cache enabled.

Installation With Update Site URL

  • Click Help → Install New Software... then enter this url:

  • Make sure DBeaver Vault is checked, then click Next to install the plugin.

  • See Optional extensions if you have any problems installing the plugin

Install from Marketplace

Drag to your running Eclipse* workspace. *Requires Eclipse Marketplace Client



Vault Agent

This plugin will request new credentials everytime a connection is open to the database. To re-use already existing and valid credentials a Vault Agent is recommended.

This is an example, with AWS Authenticaton. Save it as vault-agent-dbeaver.hcl and edit accordingly:

auto_auth {
    method "aws" {
        config = {
            type = "iam"
            role = "zzz"
            access_key = "xxx"
            secret_key = "yyy"
            header_value = ""

    sink "file" {
        config = {
            path = "/opt/vault/vault-token-dbeaver"

vault {
    address = ""

cache {  
    use_auto_auth_token = true

listener "tcp" {
    address = ""
    tls_disable = true

Launch the Vault Agent with vault agent -log-level=debug -config vault-agent-dbeaver.hcl.

Configure a DBeaver database connection with:

  • Address:
  • Token file: /opt/vault/vault-token-dbeaver

Launching Vault Agent automatically

To skip launching the Vault Agent manually, you can configure your system manager to launch it on startup. For systemd create a ~/.config/systemd/user/vault-agent-dbeaver.service with:

Description="Vault Agent to serve Tokens - DBeaver"

ExecStart=/usr/bin/vault agent -config=/opt/vault-agent-dbeaver.hcl


Enable the Vault system unit with systemctl --user enable vault-agent-dbeaver and launch the Vault Agent with systemctl --user start vault-agent-dbeaver.


Support for parsing Vault config file from environment variable VAULT_CONFIG_PATH or default ~/.vault is restricted to JSON syntax only. It does not support native HCL syntax.


No releases published


No packages published