ContextQMD
Back to Packer

`vault` Function

website/content/docs/templates/hcl_templates/functions/contextual/vault.mdx

1.15.33.1 KB
Original Source

⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️

[!IMPORTANT]
Documentation Update: Product documentation previously located in /website has moved to the hashicorp/web-unified-docs repository, where all product documentation is now centralized. Please make contributions directly to web-unified-docs, since changes to /website in this repository will not appear on developer.hashicorp.com. ⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️

vault Function

Retrieves secrets from a HashiCorp Vault KV store. Packer can read secrets from and add them to your template as user variables. The vault function is available only within the default value of a user variable, allowing you to default a user variable to a vault secret.

Refer to the Vault documentation for additional information about the Vault KV store.

An example of using a v2 kv engine:

If you store a value in vault using vault kv put secret/hello foo=world, you can access it using the following:

hcl
locals {
    foo = vault("/secret/data/hello", "foo")
}

which will assign local.foo with the value "world"

An example of using a v1 kv engine:

If you store a value in vault using:

vault secrets enable -version=1 -path=secrets kv
vault kv put secrets/hello foo=world

You can access it using the following:

hcl
locals {
    foo = vault("secrets/hello", "foo")
}

This example accesses the Vault path secret/foo and returns the value stored at the key foo, storing it as the local variable local.foo.

If the Vault secret contains a highly sensitive value the local block, not to be confused with the locals block, can be used to mark the value as sensitive.

hcl
local "foo" {
    expression = vault("secrets/hello", "foo")
    sensitive  = true
}

The local block example accesses the Vault path secrets/foo and returns the value stored at the key foo, storing it as the local variable local.foo. However, the output of the newly stored local variable will be filtered from the Packer build output, and replaced with the value <sensitive>. See Local Values for more details.

Usage

In order for the Vault function to work, you must set the environment variables VAULT_TOKEN and VAULT_ADDR to valid values.

-> NOTE: HCL functions can be used in local variable definitions or inline with a provisioner/post-processor. They cannot be used in global variable definitions.

The api tool we use allows for more custom configuration of the Vault client via environment variables.

The full list of available environment variables is:

text
"VAULT_ADDR"
"VAULT_AGENT_ADDR"
"VAULT_CACERT"
"VAULT_CAPATH"
"VAULT_CLIENT_CERT"
"VAULT_CLIENT_KEY"
"VAULT_CLIENT_TIMEOUT"
"VAULT_SKIP_VERIFY"
"VAULT_NAMESPACE"
"VAULT_TLS_SERVER_NAME"
"VAULT_WRAP_TTL"
"VAULT_MAX_RETRIES"
"VAULT_TOKEN"
"VAULT_MFA"
"VAULT_RATE_LIMIT"

and detailed documentation for usage of each of those variables can be found here.