This plugin provides a possibility to fetch secrets from a Vault server and use them as Rudder variables directly on the agent. The Rudder server itself does not need to have access to the Vault.


  • Edit the configuration file in /var/rudder/plugin-resources/vault.json on each agent. This config file must contain the address of your Vault server, credentials to access it and the auth mode you want to use. A sample config is in share/plugins/vault/sample_vault.json.


Use the Variable from vault generic method in Rudder to fetch secrets. Make sure the agents the generic method is being used on have a proper vault.json configuration. A sample config is provided at /opt/rudder/share/plugins/vault/sample_vault.json. This file needs your Vault server address, the configuration for at least one auth mode, and the name of the auth mode to be used. Auth modes can be token, userpass or tls.

← Known issues Installation →