Hook to Interact with HashiCorp Vault KeyValue Secret engine.

You connect to the host specified as host in the connection. The login/password from the connection are used as credentials usually and you can specify different authentication parameters via init params or via corresponding extras in the connection.

The mount point should be placed as a path in the URL - similarly to Vault’s URL schema: This indicates the “path” the secret engine is mounted on. Default id not specified is “secret”. Note that this mount_point is not used for authentication if authentication is done via a different engines. Each engine uses it’s own engine-specific authentication mount_point.

The extras in the connection are named the same as the parameters (‘kv_engine_version’, ‘auth_type’, …).

You can also use gcp_keyfile_dict extra to pass json-formatted dict in case of ‘gcp’ authentication.

The URL schemas supported are “vault”, “http” (using http to connect to the vault) or “vaults” and “https” (using https to connect to the vault).

Example URL:

vault://user:password@host:port/mount_point?kv_engine_version=1&auth_type=github

Login/Password are used as credentials:

• approle: login -> role_id, password -> secret_id

• github: password -> token

• token: password -> token

• aws_iam: login -> key_id, password -> secret_id

• azure: login -> client_id, password -> client_secret

• ldap: login -> username, password -> password

• userpass: login -> username, password -> password

• radius: password -> radius_secret

param vault_conn_id

The id of the connection to use

param auth_type

Authentication Type for the Vault. Default is token. Available values are: (‘approle’, ‘github’, ‘gcp’, ‘kubernetes’, ‘ldap’, ‘token’, ‘userpass’)

param auth_mount_point

It can be used to define mount_point for authentication chosen Default depends on the authentication method used.

param kv_engine_version

Select the version of the engine to run (1 or 2). Defaults to version defined in connection or 2 if not defined in connection.

param role_id

Role ID for aws_iam Authentication.

param kubernetes_role

Role for Authentication (for kubernetes auth_type)

param kubernetes_jwt_path

Path for kubernetes jwt token (for kubernetes auth_type, default: /var/run/secrets/kubernetes.io/serviceaccount/token)

param token_path

path to file containing authentication token to include in requests sent to Vault (for token and github auth_type).

param gcp_key_path

Path to Google Cloud Service Account key file (JSON) (for gcp auth_type) Mutually exclusive with gcp_keyfile_dict

param gcp_scopes

Comma-separated string containing OAuth2 scopes (for gcp auth_type)

param azure_tenant_id

The tenant id for the Azure Active Directory (for azure auth_type)

param azure_resource

The configured URL for the application registered in Azure Active Directory (for azure auth_type)

param radius_host

Host for radius (for radius auth_type)

param radius_port

Port for radius (for radius auth_type)