Reads secrets from Vault. Authentication is done (by default) using the aws-ec2 method, which must be configured before using this resource. It can also use the AppRole method to authenticate.
-
url: Optional. The location of the Vault server. Defaults tohttps://vault.service.consul:8200. -
role: Optional. The role to authenticate as. Defaults toconcourse. -
nonce: Optional. Client nonce whitelisted by Vault for this EC2 auth. Defaults tovault-concourse-nonce, which should probably be changed. -
paths: Optional. If specified (as a list of glob patterns), only changes to the specified files will yield new versions fromcheck. -
auth_method: Optional. By default will use theaws-ec2method. IfAppRoleis specified, it will read therole_idandsecret_idparameter to authenticate on the approle endpoint. -
role_id: Optional. Use a specific role id to authenticate. This parameter is used only withauth_method: AppRole. -
secret_id: Optional. Use a specific secret id to authenticate. This parameter is used only withauth_method: AppRole. -
tls_skip_verify: Optional. Skips Vault SSL verification by exportingVAUKT_SKIP_VERIFY=1.
Resource configuration using aws-ec2 authentication:
resources:
- name: vault
type: vault
source:
url: https://secure.legitcompany.com:8200
role: build-server
nonce: cantguessmeResource configuration using AppRole authentication:
resources:
- name: vault
type: vault
source:
url: https://secure.legitcompany.com:8200
auth_method: AppRole
role_id: e6889709-5ff8-c670-a083-79f1c5035709
secret_id: e6889709-5ff8-c670-a083-79f1c5035709Fetching secrets:
- get: vault
params:
paths:
- secret/build/git
- secret/build/aws/s3Essentially a noop, the current date is always returned as {"date": "$DATE"}
Reads secrets from Vault and stores them on disk as JSON files.
The path of the secret will match the path on disk - ie in the example above, vault/build/git.json and vault/build/aws/s3.json will be created.
paths: Required. List of paths to read from the Vault secret mount.