Hashicorp Vault Plugin
This topic covers the HashiCorp Vault Plugin for Release, which integrates Vault for secure secret management within release pipelines.
The HashiCorp Vault plugin retrieves secrets from a Vault Server for use in your tasks and automation. These secrets include static and dynamic username and password fields from the Secrets Engine of your choice.
Authentication
Vault permits several types of authentication as outlined in the Hashicorp Vault Authentication documentation.
Define the server configuration of URL, select from the dropdown menu Authentication Method.
Various types of authentication are added to the HashiCorp Vault plugin.
- For Basic and LDAP, you can enter Username and Password.
- For AppRole, you can enter RoleId and SecretId.
- For PAT, you can enter the Api Token.
Read Secret task for KV Version2 mount type is added to the HashiCorp Vault plugin.
Namespace field is added to the HashiCorp Vault plugin.
Note: Vault should run in Enterprise mode to have a namespace.
List Of Various Tasks in Vault plugin.
KV version1 Tasks
- SecretsV1-ReadDynamicSecret
- SecretsV1-CreateSecret
- SecretsV1-ReadSecret
- SecretsV1-DeleteSecret
- SecretsV1-EnableEngine
KV version2 Tasks
- SecretsV2-ReadSecret
- SecretsV2-EnableEngine
- SecretsV2-Configure
- SecretsV2-ReadConfiguration
- SecretsV2-ReadSecretVersions
- SecretsV2-CreateSecret
- SecretsV2-PatchExistingSecret
- SecretsV2-DeleteVersion
- SecretsV2-UndeleteVersion
- SecretsV2-DestroyVersion
- SecretsV2-ListSecrets
- SecretsV2-ReadSecretMetadata
- SecretsV2-UpdateMetadata
V1 Create secret
This task creates a secret in vault (type V1).
V1 Delete secret
This task deletes a secret in vault (type V1).
V1 Enable engine
This task enables the engine in vault (type V1).
V1 List secrets
This task lists the secrets from vault (type V1).
V1 Read dynamic secret
This task reads a dynamic secret from vault (type V1).
V1 Read secret
This task reads the secret from vault (type V1).
V2 Configure
This task configures the vault (type V2).
V2 Create secret
This task creates a secret in vault (type V2).
V2 Delete metadata
This task deletes the metadata and all versions from vault (type V2).
V2 Delete version
This task deletes the version in vault (type V2).
V2 Destroy version
This task destroys the version in vault (type V2).
V2 Enable engine
This task enables the engine in vault (type V2).
V2 List secrets
This task lists the secrets from vault (type V2).
V2 Patch existing secret
This task patches an existing secret in vault (type V2).
V2 Read configuration
This task reads a configuration from vault (type V2).
Read Secret KV version2
Read Secret task for KV Version2 need to specify the Mount_point, Path and Key. Based on the path and key we will get the data which can be stored as a output variable.
Use the Secret as Part of Another Task:
In this example, the Hashicrop Vault Get Secret V2 task is followed by a Jenkins Build Task. The Jenkins task makes use of the release variable jenkpassword (previously populated by Vault) as the Jenkins password (overriding the password configured for the Jenkins server).
V2 Read secret metadata
This task reads the secret metadata from vault (type V2)
V2 Read secret versions
This task reads the secret versions from vault (type V2).
V2 Undelete version
This task undeletes a version in vault (type V2).
V2 Update metadata
This task updates the metadata in vault (type V2).