Skip to content

Vault Dynamic Secret

The VaultDynamicSecret Generator provides an interface to HashiCorp Vault's Secrets engines. Specifically, it enables obtaining dynamic secrets not covered by the HashiCorp Vault provider.

Any Vault authentication method supported by the provider can be used here (provider block of the spec).

All secrets engines should be supported by providing matching path, method and parameters values to the Generator spec (see example below).

Exact output keys and values depend on the Vault secret engine used; nested values are stored into the resulting Secret in JSON format.

Example manifest

apiVersion: generators.external-secrets.io/v1alpha1
kind: VaultDynamicSecret
metadata:
  name: "pki-example"
spec:
  path: "/pki/issue/example-dot-com"
  method: "POST"
  parameters:
    common_name: "localhost"
    ip_sans: "127.0.0.1,127.0.0.11"
  provider:
    server: "http://vault.default.svc.cluster.local:8200"
    auth:
      kubernetes:
        mountPath: "kubernetes"
        role: "external-secrets-operator"
        serviceAccountRef:
          name: "default"

Example ExternalSecret that references the Vault generator:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: "pki-example-com"
spec:
  refreshInterval: "768h"
  target:
    name: pki-example-com
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: VaultDynamicSecret
        name: "pki-example"