Edit this page on GitHub

Home > docs > plugins v1 > Vault by HashiCorp Task

Vault by HashiCorp Task

The hashivault task allows workflows to read and write secrets with Vault by HashiCorp.

Usage

To enable the task in a Concord flow, it must be added as a dependency:

configuration:
  dependencies:
  - mvn://com.walmartlabs.concord.plugins:hashivault-task:1.49.0

This adds the task to the classpath and allows you to invoke the task in a flow:

flows:
  default:
    # full task call
    - task: hashivault
      in:
        action: "readKV"
        baseUrl: "https://my-vault.example.com:8200"
        path: "${vaultPath}"
    # public methods require default variables
    - expr: ${hashivault.readKV('path/to/secret', 'my-key')}
      out: singleValue

Common Parameters

  • action: Action to perform
    • readKV - Read key/value data from a Vault secret
    • writeKV - Write key/value data to a Vault secret
  • apiToken - Vault API token for authentication
  • apiTokenSecret - Concord Secret details to retrieve a Vault API token
    • org - Concord Organization
    • name - Concord Secret name
    • password - Optional, Cord Secret password
  • baseUrl - Vault API URL
  • engineVersion - Optional, Vault engine version to use. Default is 2
  • namespace - Optional, Vault namespace to use
  • path - Path of the Vault secret to use
  • verifySsl - Optional, if false, disables SSL verification

readKV Action Parameters

  • key - Optional, specific Vault key to retrieve a value at

writeKV Action Parameters

  • kvPairs - Map of key/value pairs to write to the Vault secret

Task Output

The output of the full task call are saved into the result variable. This variable includes ok, data, and error members.

flows:
  default:
  - task: hashivault
    in:
      ...
  - if: ${result.ok}
    then:
      - log: "Successfully retrieved Vault data"
      # can be accessed in ${result.data}
    else:
      - log: "Error with task: ${result.error}"

The output of the task’s public method call returns only the retrieved Vault data.

- expr: ${hashivault.readKV('path/to/secret', 'aKey')}
  out: justAString

Setting Default Task Parameters

Set a hashivaultParams variable to provide a default set of parameters to the task. This is helpful when the task is called multiple time and allows the use of the task’s public methods.

configuration:
  arguments:
    hashivaultParams:
      baseUrl: "https://my-vault.example.com:8200"
      apiTokenSecret:
        org: "my-org"
        name: "my-token-secret"
      namespace: "/my-ns"

flows:
  default:
    # public methods are more succinct
    - expr: ${hashivault.readKV('path/to/secret')}
      out: kvPairs

    # or use the full call to override a default parameter
    - task: hashivault
      in:
        path: "path/to/secret"
        namespace: "/another-ns"

Reading Secret Data

Use the readKV action to read key/value pairs from a Vault secret. Additionally, use the key parameter to read a single value from a Vault secret.

- task: hashivault
  in:
    action: "readKV"
    baseUrl: "https://my-vault.example.com:8200"
    path: "path/to/secret"

# 'result' variable now contains:
#  ok: true/false
#  data: [ 'aKey': 'aValue', ... ]
#  error: "error string"

- task: hashivault
  in:
    action: "readKV"
    baseUrl: "https://my-vault.example.com:8200"
    path: "path/to/secret"
    key: "aKey"

# 'result' variable now contains:
#  ok: true/false
#  data: 'aValue'
#  error: "error string"

The task’s public can be used to retrieve only the data when default parameters are set.

- expr: ${hashivault.readKV('path/to/secret')}
  out: result
# 'result' variable now contains:
# [ 'aKey': 'aValue', ... ]

- expr: ${hashivault.readKV('path/to/secret', 'aKey')}
  out: result
# 'result' variable now contains:
# 'value'

The public method calls can be plugged directly into other task calls.

- task: ansible
  in:
    vaultPassword: ${hashivault.readKV('path/to/secret', 'vault-pass')}
    ...

Writing Secret Data

Use the writeKV action to write key/value pairs to a Vault secret.

- task: hashivault
  in:
    action: "writeKV"
    baseUrl: "https://my-vault.example.com:8200"
    path: "path/to/secret"
    kvPairs:
      aKey: "a-value"
      bKey: "b-value"

# 'result' variable now contains:
#  ok: true/false
#  data: null
#  error: "error string"

The task’s public can be used to write the data when default parameters are set.

- set:
    kvPairs:
      aKey: "a-value"
      bKey: "b-value"
- ${hashivault.writeKV('path/to/secret', kvPairs)}
# nothing returned