This is documentation for the next version of Alloy. For the latest stable release, go to the latest version.

Reference

Components

remote

remote.vault

Open source

remote.vault

remote.vault connects to a HashiCorp Vault server to retrieve secrets. It can retrieve a secret using the KV v2 secrets engine.

Multiple remote.vault components can be specified by giving them different labels.

Usage

remote.vault "LABEL" {
  server = "VAULT_SERVER"
  path   = "VAULT_PATH"
  key    = "VAULT_KEY"

  // Alternatively, use one of the other auth.* mechanisms.
  auth.token {
    token = "AUTH_TOKEN"
  }
}

Arguments

The following arguments are supported:

Name	Type	Description	Default	Required
`server`	`string`	The Vault server to connect to.		yes
`namespace`	`string`	The Vault namespace to connect to (Vault Enterprise only).		no
`path`	`string`	The path to retrieve a secret from.		yes
`key`	`string`	The key to retrieve a secret from.		no
`reread_frequency`	`duration`	Rate to re-read keys.	`"0s"`	no

Tokens with a lease will be automatically renewed roughly two-thirds through their lease duration. If the leased token isn’t renewable, or renewing the lease fails, the token will be re-read.

All tokens, regardless of whether they have a lease, are automatically reread at a frequency specified by the reread_frequency argument. Setting reread_frequency to "0s" (the default) disables this behavior.

Blocks

The following blocks are supported inside the definition of remote.vault:

Hierarchy	Block	Description	Required
client_options	client_options	Options for the Vault client.	no
auth.token	auth.token	Authenticate to Vault with a token.	no
auth.approle	auth.approle	Authenticate to Vault using AppRole.	no
auth.aws	auth.aws	Authenticate to Vault using AWS.	no
auth.azure	auth.azure	Authenticate to Vault using Azure.	no
auth.gcp	auth.gcp	Authenticate to Vault using GCP.	no
auth.kubernetes	auth.kubernetes	Authenticate to Vault using Kubernetes.	no
auth.ldap	auth.ldap	Authenticate to Vault using LDAP.	no
auth.userpass	auth.userpass	Authenticate to Vault using a username and password.	no
auth.custom	auth.custom	Authenticate to Vault with custom authentication.	no

Exactly one auth.* block must be provided, otherwise the component will fail to load.

client_options block

The client_options block customizes the connection to vault.

Name	Type	Description	Default	Required
`min_retry_wait`	`duration`	Minimum time to wait before retrying failed requests.	`"1000ms"`	no
`max_retry_wait`	`duration`	Maximum time to wait before retrying failed requests.	`"1500ms"`	no
`max_retries`	`int`	Maximum number of times to retry after a 5xx error.	`2`	no
`timeout`	`duration`	Maximum time to wait before a request times out.	`"60s"`	no

Requests which fail due to server errors (HTTP 5xx error codes) can be retried. The max_retries argument specifies how many times to retry failed requests. The min_retry_wait and max_retry_wait arguments specify how long to wait before retrying. The wait period starts at min_retry_wait and exponentially increases up to max_retry_wait.

Other types of failed requests, including HTTP 4xx error codes, aren’t retried.

If the max_retries argument is set to 0, failed requests aren’t retried.

auth.token block

The auth.token block authenticates each request to Vault using a token.

Name	Type	Description	Default	Required
`token`	`secret`	Authentication token to use.		yes

auth.approle block

The auth.token block authenticates to Vault using the AppRole auth method.

Name	Type	Description	Default	Required
`role_id`	`string`	Role ID to authenticate as.		yes
`secret`	`secret`	Secret to authenticate with.		yes
`wrapping_token`	`bool`	Whether to unwrap the token.	`false`	no
`mount_path`	`string`	Mount path for the login.	`"approle"`	no

auth.aws block

The auth.aws block authenticates to Vault using the AWS auth method.

Credentials used to connect to AWS are specified by the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION. The environment variable AWS_SHARED_CREDENTIALS_FILE may be specified to use a credentials file instead.

Name	Type	Description	Default	Required
`type`	`string`	Mechanism to authenticate against AWS with.		yes
`region`	`string`	AWS region to connect to.	`"us-east-1"`	no
`role`	`string`	Overrides the inferred role name inferred.	`""`	no
`iam_server_id_header`	`string`	Configures a `X-Vault-AWS-IAM-Server-ID` header.	`""`	no
`ec2_signature_type`	`string`	Signature to use when authenticating against EC2.	`"pkcs7"`	no
`mount_path`	`string`	Mount path for the login.	`"aws"`	no

The type argument must be set to one of "ec2" or "iam".

The iam_server_id_header argument is required used when type is set to "iam".

If the region argument is explicitly set to an empty string "", the region to connect to will be inferred using an API call to the EC2 metadata service.

The ec2_signature_type argument configures the signature to use when authenticating against EC2. It only applies when type is set to "ec2". ec2_signature_type must be set to either "identity" or "pkcs7".

auth.azure block

The auth.azure block authenticates to Vault using the Azure auth method.

Credentials are retrieved for the running Azure VM using Managed Identities for Azure Resources.

Name	Type	Description	Default	Required
`role`	`string`	Role name to authenticate as.		yes
`resource_url`	`string`	Resource URL to include with authentication request.		no
`mount_path`	`string`	Mount path for the login.	`"azure"`	no

auth.gcp block

The auth.gcp block authenticates to Vault using the GCP auth method.

Name	Type	Description	Default	Required
`role`	`string`	Role name to authenticate as.		yes
`type`	`string`	Mechanism to authenticate against GCP with		yes
`iam_service_account`	`string`	IAM service account name to use.		no
`mount_path`	`string`	Mount path for the login.	`"gcp"`	no

The type argument must be set to "gce" or "iam". When type is "gce", credentials are retrieved using the metadata service on GCE VMs. When type is "iam", credentials are retrieved from the file that the GOOGLE_APPLICATION_CREDENTIALS environment variable points to.

When type is "iam", the iam_service_account argument determines what service account name to use.

auth.kubernetes block

The auth.kubernetes block authenticates to Vault using the Kubernetes auth method.

Name	Type	Description	Default	Required
`role`	`string`	Role name to authenticate as.		yes
`service_account_file`	`string`	Override service account token file to use.		no
`mount_path`	`string`	Mount path for the login.	`"kubernetes"`	no

When service_account_file is not specified, the JWT token to authenticate with is retrieved from /var/run/secrets/kubernetes.io/serviceaccount/token.

auth.ldap block

The auth.ldap block authenticates to Vault using the LDAP auth method.

Name	Type	Description	Default	Required
`username`	`string`	LDAP username to authenticate as.		yes
`password`	`secret`	LDAP passsword for the user.		yes
`mount_path`	`string`	Mount path for the login.	`"ldap"`	no

auth.userpass block

The auth.userpass block authenticates to Vault using the UserPass auth method.

Name	Type	Description	Default	Required
`username`	`string`	Username to authenticate as.		yes
`password`	`secret`	Passsword for the user.		yes
`mount_path`	`string`	Mount path for the login.	`"userpass"`	no

auth.custom block

The auth.custom blocks allows authenticating against Vault using an arbitrary authentication path like auth/customservice/login.

Using auth.custom is equivalent to calling vault write PATH DATA on the command line.

Name	Type	Description	Default	Required
`path`	`string`	Path to write to for creating an authentication token.		yes
`data`	`map(secret)`	Authentication data.		yes

All values in the data attribute are considered secret, even if they contain nonsensitive information like usernames.

Exported fields

The following fields are exported and can be referenced by other components:

Name	Type	Description
`data`	`map(secret)`	Data from the secret obtained from Vault.

The data field contains a mapping from data field names to values. There is one mapping for each string-like field stored in the Vault secret.

Vault permits secret engines to store arbitrary data within the key-value pairs for a secret. The remote.vault component is only able to use values which are strings or can be converted to strings. Keys with non-string values are ignored and omitted from the data field.

If an individual key stored in data doesn’t hold sensitive data, it can be converted into a string using [the nonsensitive function][nonsensitive]:

convert.nonsensitive(remote.vault.LABEL.data.KEY_NAME)

Using convert.nonsensitive allows for using the exports of remote.vault for attributes in components that don’t support secrets.

Component health

remote.vault will be reported as unhealthy if the latest reread or renewal of secrets was unsuccessful.

Debug information

remote.vault exposes debug information for the authentication token and secret around:

The latest request ID used for retrieving or renewing the token.
The most recent time when the token was retrieved or renewed.
The expiration time for the token (if applicable).
Whether the token is renewable.
Warnings from Vault from when the token was retrieved.

Debug metrics

remote.vault exposes the following metrics:

remote_vault_auth_total (counter): Total number of times the component authenticated to Vault.
remote_vault_secret_reads_total (counter): Total number of times the secret was read from Vault.
remote_vault_auth_lease_renewal_total (counter): Total number of times the component renewed its authentication token lease.
remote_vault_secret_lease_renewal_total (counter): Total number of times the component renewed its secret token lease.

Example

local.file "vault_token" {
  filename  = "/var/data/vault_token"
  is_secret = true
}

remote.vault "remote_write" {
  server = "https://prod-vault.corporate.internal"
  path   = "secret"
  key    = "prometheus/remote_write

  auth.token {
    token = local.file.vault_token.content
  }
}

metrics.remote_write "prod" {
  remote_write {
    url = "https://onprem-mimir:9009/api/v1/push"
    basic_auth {
      username = remote.vault.remote_write.data.username
      password = remote.vault.remote_write.data.password
    }
  }
}