Influxdata
/
docs-v2
mirror of https://github.com/influxdata/docs-v2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
docs-v2/content/influxdb/v2/admin/secrets/use-vault.md

3.8 KiB
Raw Blame History

title description influxdb/v2/tags menu weight aliases
Store secrets in Vault Use Vault as an InfluxDB secret store and manage secrets through the in InfluxDB API.
secrets
security
influxdb_v2
parent
Manage secrets
306
/influxdb/v2/security/secrets/use-vault/

Vault secures, stores, and controls access to tokens, passwords, certificates, and other sensitive secrets. Store sensitive secrets in Vault using InfluxDB's built-in Vault integration.

To store secrets in Vault, complete the following steps:

  1. Start a Vault server.
  2. Provide Vault server address and token.
  3. Start InfluxDB.
  4. Manage secrets through the InfluxDB API.

Start a Vault server

Start a Vault server and ensure InfluxDB has network access to the server.

The following links provide information about running Vault in both development and production:

[!Note] InfluxDB supports the Vault KV Secrets Engine Version 2 API only. When you create a secrets engine, enable the kv-v2 version by running:

vault secrets enable kv-v2

For this example, install Vault on your local machine and start a Vault dev server.

vault server -dev

Provide Vault server address and token

Use influxd Vault-related tags or Vault environment variables to provide connection credentials and other important Vault-related information to InfluxDB.

Required credentials

Vault address

Provide the API address of your Vault server (available in the Vault server output) using the --vault-addr flag when starting influxd or with the VAULT_ADDR environment variable.

Vault token

Provide your Vault token (required to access your Vault server) using the --vault-token flag when starting influxd or with the VAULT_TOKEN environment variable.

Your Vault server configuration may require other Vault settings.

Start InfluxDB

Start the influxd service with the --secret-store option set to vault and any other necessary flags--for example, enter the following command:

influxd --secret-store vault \
  --vault-addr=http://127.0.0.1:8200 \
  --vault-token=$VAULT_TOKEN

influxd includes the following Vault configuration options. If set, these flags override any Vault environment variables:

  • --vault-addr
  • --vault-cacert
  • --vault-capath
  • --vault-client-cert
  • --vault-client-key
  • --vault-max-retries
  • --vault-client-timeout
  • --vault-skip-verify
  • --vault-tls-server-name
  • --vault-token

For more information, see InfluxDB configuration options.

Manage secrets through the InfluxDB API

Use the InfluxDB /org/{orgID}/secrets API endpoint to add tokens to Vault. For details, see Secrets.