101 lines
3.5 KiB
Markdown
101 lines
3.5 KiB
Markdown
---
|
|
title: Store secrets in Vault
|
|
description: Use Vault as an InfluxDB secret store and manage secrets through the in InfluxDB API.
|
|
influxdb/v2/tags: [secrets, security]
|
|
menu:
|
|
influxdb_v2:
|
|
parent: Manage secrets
|
|
weight: 306
|
|
aliases:
|
|
- /influxdb/v2/security/secrets/use-vault/
|
|
---
|
|
|
|
[Vault](https://www.vaultproject.io/) secures, stores, and controls access
|
|
to tokens, passwords, certificates, and other sensitive secrets.
|
|
Store sensitive secrets in Vault using InfluxDB's built-in Vault integration.
|
|
|
|
To store secrets in Vault, complete the following steps:
|
|
|
|
1. [Start a Vault server](#start-a-vault-server).
|
|
2. [Provide Vault server address and token](#provide-vault-server-address-and-token).
|
|
3. [Start InfluxDB](#start-influxdb).
|
|
4. [Manage secrets through the InfluxDB API](#manage-secrets-through-the-influxdb-api).
|
|
|
|
## Start a Vault server
|
|
|
|
Start a Vault server and ensure InfluxDB has network access to the server.
|
|
|
|
The following links provide information about running Vault in both development and production:
|
|
|
|
- [Install Vault](https://learn.hashicorp.com/vault/getting-started/install)
|
|
- [Start a Vault dev server](https://learn.hashicorp.com/vault/getting-started/dev-server)
|
|
- [Deploy Vault](https://learn.hashicorp.com/vault/getting-started/deploy)
|
|
|
|
{{% note %}}
|
|
InfluxDB supports the [Vault KV Secrets Engine Version 2 API](https://www.vaultproject.io/api/secret/kv/kv-v2.html) only.
|
|
When you create a secrets engine, enable the `kv-v2` version by running:
|
|
|
|
```js
|
|
vault secrets enable kv-v2
|
|
```
|
|
{{% /note %}}
|
|
|
|
For this example, install Vault on your local machine and start a Vault dev server.
|
|
|
|
```sh
|
|
vault server -dev
|
|
```
|
|
|
|
## Provide Vault server address and token
|
|
|
|
Use `influxd` Vault-related tags or [Vault environment variables](https://www.vaultproject.io/docs/commands/index.html#environment-variables)
|
|
to provide connection credentials and other important Vault-related information to InfluxDB.
|
|
|
|
### Required credentials
|
|
|
|
#### Vault address
|
|
|
|
Provide the API address of your Vault server _(available in the Vault server output)_
|
|
using the [`--vault-addr` flag](/influxdb/v2/reference/config-options/#vault-addr) when
|
|
starting `influxd` or with the `VAULT_ADDR` environment variable.
|
|
|
|
#### Vault token
|
|
|
|
Provide your [Vault token](https://learn.hashicorp.com/vault/getting-started/authentication)
|
|
(required to access your Vault server) using the [`--vault-token` flag](/influxdb/v2/reference/config-options/#vault-token)
|
|
when starting `influxd` or with the `VAULT_TOKEN` environment variable.
|
|
|
|
_Your Vault server configuration may require other Vault settings._
|
|
|
|
## Start InfluxDB
|
|
|
|
Start the [`influxd` service](/influxdb/v2/reference/cli/influxd/) with the `--secret-store`
|
|
option set to `vault` any other necessary flags.
|
|
|
|
```bash
|
|
influxd --secret-store vault \
|
|
--vault-addr=http://127.0.0.1:8200 \
|
|
--vault-token=s.0X0XxXXx0xXxXXxxxXxXxX0x
|
|
```
|
|
|
|
`influxd` includes the following Vault configuration options.
|
|
If set, these flags override any [Vault environment variables](https://www.vaultproject.io/docs/commands/index.html#environment-variables):
|
|
|
|
- `--vault-addr`
|
|
- `--vault-cacert`
|
|
- `--vault-capath`
|
|
- `--vault-client-cert`
|
|
- `--vault-client-key`
|
|
- `--vault-max-retries`
|
|
- `--vault-client-timeout`
|
|
- `--vault-skip-verify`
|
|
- `--vault-tls-server-name`
|
|
- `--vault-token`
|
|
|
|
For more information, see [InfluxDB configuration options](/influxdb/v2/reference/config-options/).
|
|
|
|
## Manage secrets through the InfluxDB API
|
|
|
|
Use the InfluxDB `/org/{orgID}/secrets` API endpoint to add tokens to Vault.
|
|
For details, see [Manage secrets](/influxdb/v2/admin/secrets/manage-secrets/).
|