aherman
/
packer
mirror of https://github.com/hashicorp/packer
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd240e52b73'
${ noResults }
packer/website/content/docs/templates/hcl_templates/functions/contextual/vault.mdx

92 lines
2.6 KiB
Raw Blame History

---
page_title: vault - Functions - Configuration Language
description: The vault function retrieves secrets from HashiCorp Vault KV stores.
---
# `vault` Function
Secrets can be read from [Vault](https://www.vaultproject.io/) and used within
your template as user variables. the `vault` function is available _only_
within the default value of a user variable, allowing you to default a user
variable to a vault secret.
An example of using a v2 kv engine:
If you store a value in vault using `vault kv put secret/hello foo=world`, you
can access it using the following:
```hcl
locals {
foo = vault("/secret/data/hello", "foo")
}
```
which will assign `local.foo` with the value "world"
An example of using a v1 kv engine:
If you store a value in vault using:
vault secrets enable -version=1 -path=secrets kv
vault kv put secrets/hello foo=world
You can access it using the following:
```hcl
locals {
foo = vault("secrets/hello", "foo")
}
```
This example accesses the Vault path `secret/foo` and returns the value
stored at the key `foo`, storing it as the local variable `local.foo`.
If the Vault secret contains a highly sensitive value the `local` block, not to be confused with
the `locals` block, can be used to mark the value as sensitive.
```hcl
local "foo" {
expression = vault("secrets/hello", "foo")
sensitive = true
}
The `local` block example accesses the Vault path `secrets/foo` and returns the value
stored at the key `foo`, storing it as the local variable `local.foo`. However, the output of
the newly stored local variable will be filtered from the Packer build output, and replaced
with the value '<sensitive>'. See [Local Values](/docs/templates/hcl_templates/locals) for more details.
## Usage
In order for the Vault function to work, you must set the environment variables `VAULT_TOKEN`
and `VAULT_ADDR` to valid values.
-> **NOTE:** HCL functions can be used in local variable definitions or inline
with a provisioner/post-processor. They cannot be used in global variable definitions.
The api tool we use allows for more custom configuration of the Vault client via
environment variables.
The full list of available environment variables is:
```text
"VAULT_ADDR"
"VAULT_AGENT_ADDR"
"VAULT_CACERT"
"VAULT_CAPATH"
"VAULT_CLIENT_CERT"
"VAULT_CLIENT_KEY"
"VAULT_CLIENT_TIMEOUT"
"VAULT_SKIP_VERIFY"
"VAULT_NAMESPACE"
"VAULT_TLS_SERVER_NAME"
"VAULT_WRAP_TTL"
"VAULT_MAX_RETRIES"
"VAULT_TOKEN"
"VAULT_MFA"
"VAULT_RATE_LIMIT"
```
and detailed documentation for usage of each of those variables can be found
[here](https://www.vaultproject.io/docs/commands/#environment-variables).
Reference in new issue View Git Blame Copy Permalink