Edit this page on GitHub

Home > docs > plugins v2 > Vault by HashiCorp Task

Vault by HashiCorp Task

The hashivault task allows workflows to read and write secrets with Vault by HashiCorp.

Usage

To enable the task in a Concord flow, it must be added as a dependency:

configuration:
  dependencies:
  - mvn://com.walmartlabs.concord.plugins:hashivault-task:1.40.0

This adds the task to the classpath and allows you to invoke the task in a flow:

flows:
  default:
    # full task call
    - task: hashivault
      in:
        action: "readKV"
        baseUrl: "https://my-vault.example.com:8200"
        path: "${vaultPath}"
      out: result
    # public methods require default variables
    - expr: ${hashivault.readKV('path/to/secret', 'my-key')}
      out: singleValue

Common Parameters

  • action: Action to perform
    • readKV - Read key/value data from a Vault secret
    • writeKV - Write key/value data to a Vault secret
  • apiToken - Vault API token for authentication
  • apiTokenSecret - Concord Secret details to retrieve a Vault API token
    • org - Concord Organization
    • name - Concord Secret name
    • password - Optional, Cord Secret password
  • baseUrl - Vault API URL
  • engineVersion - Optional, Vault engine version to use. Default is 2
  • namespace - Optional, Vault namespace to use
  • path - Path of the Vault secret to use
  • verifySsl - Optional, if false, disables SSL verification

readKV Action Parameters

  • key - Optional, specific Vault key to retrieve a value at

writeKV Action Parameters

  • kvPairs - Map of key/value pairs to write to the Vault secret

Task Output

In addition to common task result fields, the output of the full hashivault task call returns:

  • data - map of retrieved Vault data;
flows:
  default:
  - task: hashivault
    in:
      ...
    out: result
  - if: ${result.ok}
    then:
      - log: "Successfully retrieved Vault data"
      # can be accessed in ${result.data}
    else:
      - log: "Error with task: ${result.error}"

The output of the task’s public method call returns only the retrieved Vault data.

- expr: ${hashivault.readKV('path/to/secret', 'aKey')}
  out: justAString

Setting Default Task Parameters

Set a hashivaultParams variable to provide a default set of parameters to the task. This is helpful when the task is called multiple time and allows the use of the task’s public methods.

configuration:
  arguments:
    hashivaultParams:
      baseUrl: "https://my-vault.example.com:8200"
      apiTokenSecret:
        org: "my-org"
        name: "my-token-secret"
      namespace: "/my-ns"

flows:
  default:
    # public methods are more succinct
    - expr: ${hashivault.readKV('path/to/secret')}
      out: kvPairs

    # or use the full call to override a default parameter
    - task: hashivault
      in:
        path: "path/to/secret"
        namespace: "/another-ns"
      out: result

Reading Secret Data

Use the readKV action to read key/value pairs from a Vault secret. Additionally, use the key parameter to read a single value from a Vault secret.

- task: hashivault
  in:
    action: "readKV"
    baseUrl: "https://my-vault.example.com:8200"
    path: "path/to/secret"
  out: result

# 'result' variable now contains:
#  ok: true/false
#  data: [ 'aKey': 'aValue', ... ]
#  error: "error string"

- task: hashivault
  in:
    action: "readKV"
    baseUrl: "https://my-vault.example.com:8200"
    path: "path/to/secret"
    key: "aKey"
  out: result

# 'result' variable now contains:
#  ok: true/false
#  data: 'aValue'
#  error: "error string"

The task’s public can be used to retrieve only the data when default parameters are set.

- expr: ${hashivault.readKV('path/to/secret')}
  out: result
# 'result' variable now contains:
# [ 'aKey': 'aValue', ... ]

- expr: ${hashivault.readKV('path/to/secret', 'aKey')}
  out: result
# 'result' variable now contains:
# 'value'

The public method calls can be plugged directly into other task calls.

- task: ansible
  in:
    vaultPassword: ${hashivault.readKV('path/to/secret', 'vault-pass')}
    ...

Writing Secret Data

Use the writeKV action to write key/value pairs to a Vault secret.

- task: hashivault
  in:
    action: "writeKV"
    baseUrl: "https://my-vault.example.com:8200"
    path: "path/to/secret"
    kvPairs:
      aKey: "a-value"
      bKey: "b-value"
  out: result

# 'result' variable now contains:
#  ok: true/false
#  data: null
#  error: "error string"

The task’s public can be used to write the data when default parameters are set.

- set:
    kvPairs:
      aKey: "a-value"
      bKey: "b-value"
- ${hashivault.writeKV('path/to/secret', kvPairs)}
# nothing returned