Skip to content

HashiCorp Vault

Configuration

You must provide a mapping in PLUGINS_CONFIG within your nautobot_config.py, for example:

PLUGINS_CONFIG = {
    "nautobot_secrets_providers": {
        "hashicorp_vault": {
            "url": os.environ.get("HASHICORP_VAULT_URL"),
            "token": os.environ.get("HASHICORP_VAULT_TOKEN"),
        }
    },
}
  • url - (required) The URL to the HashiCorp Vault instance (e.g. http://localhost:8200).
  • auth_method - (optional / defaults to "token") The method used to authenticate against the HashiCorp Vault instance. Either "approle", "aws", "kubernetes" or "token".
  • ca_cert - (optional) Path to a PEM formatted CA certificate to use when verifying the Vault connection. Can alternatively be set to False to ignore SSL verification (not recommended) or True to use the system certificates.
  • default_mount_point - (optional / defaults to "secret") The default mount point of the K/V Version 2 secrets engine within Hashicorp Vault.
  • kv_version - (optional / defaults to "v2") The version of the KV engine to use, can be v1 or v2
  • k8s_token_path - (optional) Path to the kubernetes service account token file. Defaults to "/var/run/secrets/kubernetes.io/serviceaccount/token".
  • token - (optional) Required when "auth_method": "token" or auth_method is not supplied. The token for authenticating the client with the HashiCorp Vault instance. As with other sensitive service credentials, we recommend that you provide the token value as an environment variable and retrieve it with {"token": os.getenv("NAUTOBOT_HASHICORP_VAULT_TOKEN")} rather than hard-coding it in your nautobot_config.py.
  • role_name - (optional) Required when "auth_method": "kubernetes", optional when "auth_method": "aws". The Vault Kubernetes role or Vault AWS role to assume which the pod's service account has access to.
  • role_id - (optional) Required when "auth_method": "approle". As with other sensitive service credentials, we recommend that you provide the role_id value as an environment variable and retrieve it with {"role_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_ROLE_ID")} rather than hard-coding it in your nautobot_config.py.
  • secret_id - (optional) Required when "auth_method": "approle".As with other sensitive service credentials, we recommend that you provide the secret_id value as an environment variable and retrieve it with {"secret_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_SECRET_ID")} rather than hard-coding it in your nautobot_config.py.
  • login_kwargs - (optional) Additional optional parameters to pass to the login method for approle, aws and kubernetes authentication methods.
  • namespace - (optional) Namespace to use for the X-Vault-Namespace header on all hvac client requests. Required when the Namespaces feature is enabled in Vault Enterprise.

Multiple Hashicorp Vaults

??? version-added "Added in version 3.1.0"

Hashicorp Provider now supports using multiple vaults (configurations). You will be able to choose the vault when creating a secret, For example, you could have one vault using approle authentication, and a second vault using token authentication in combination with a different default mount point:

PLUGINS_CONFIG = {
    "nautobot_secrets_providers": {
        "hashicorp_vault": {
            "vaults": {
                "hashicorp_approle": {
                    "url": os.environ.get("HASHICORP_VAULT_URL"),
                    "auth_method": "approle",
                    "role_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_ROLE_ID"),
                    "secret_id": os.getenv("NAUTOBOT_HASHICORP_VAULT_SECRET_ID"),
                },
                "hashicorp_v1_custom_mount": {
                    "url": os.environ.get("HASHICORP_VAULT_URL"),
                    "token": os.environ.get("HASHICORP_VAULT_TOKEN"),
                    "kv_version": "v1",
                    "default_mount_point": "secret_kv",
                },
            }
        }
    },
}

Select Secret Configuration Select Secret Configuration

Note

If using this option, you should not have any keys except vaults under hashicorp_vault.