Skip to content

Vault Dynamic Secret

The VaultDynamicSecret Generator provides an interface to HashiCorp Vault's Secrets engines. Specifically, it enables obtaining dynamic secrets not covered by the HashiCorp Vault provider.

Any Vault authentication method supported by the provider can be used here (provider block of the spec).

All secrets engines should be supported by providing matching path, method and parameters values to the Generator spec (see example below).

Exact output keys and values depend on the Vault secret engine used; nested values are stored into the resulting Secret in JSON format. The generator exposes data section of the response from Vault API by default. To adjust the behaviour, use resultType key.

Passing parameters

  • parameters is a JSON body sent on write methods (POST, PUT, etc.) and supports arbitrary nested JSON. It is ignored on GET and LIST.
  • getParameters is a map[string][]string sent as the query string on GET calls. Each key may map to multiple values, matching HTTP query-string semantics. It is ignored for non-GET methods.

Example manifest

Write method (POST) with a JSON body:

apiVersion: generators.external-secrets.io/v1alpha1
kind: VaultDynamicSecret
metadata:
  name: "pki-example"
spec:
  path: "/pki/issue/example-dot-com"
  method: "POST"
  parameters:
    common_name: "localhost"
    ip_sans: "127.0.0.1,127.0.0.11"
  resultType: "Data"  # "Auth" and "Raw" are also available
  provider:
    server: "http://vault.default.svc.cluster.local:8200"
    auth:
      kubernetes:
        mountPath: "kubernetes"
        role: "external-secrets-operator"
        serviceAccountRef:
          name: "default"

GET method with query-string parameters:

apiVersion: generators.external-secrets.io/v1alpha1
kind: VaultDynamicSecret
metadata:
  name: "vault-get-example"
spec:
  path: "/kv/data/example"
  method: "GET"
  # Query string parameters for GET calls (each key may map to multiple values).
  # These are ignored for non-GET methods; use `parameters` for write bodies.
  getParameters:
    version:
    - "1"
  resultType: "Data"  # "Auth" and "Raw" are also available
  provider:
    # For production, always use "https" and ensure the additional TLS parameters are configured accordingly.
    server: "http://vault.default.svc.cluster.local:8200"
    auth:
      kubernetes:
        mountPath: "kubernetes"
        role: "external-secrets-operator"
        serviceAccountRef:
          name: "default"

Example ExternalSecret that references the Vault generator: 

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: "pki-example-com"
spec:
  refreshInterval: "768h0m0s"
  target:
    name: pki-example-com
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: VaultDynamicSecret
        name: "pki-example"