HashiCorp Vault Secrets Manager

How to store secrets in HashiCorp Vault
The HashiCorp Vault secrets manager is a secrets manager flavor provided with the ZenML vault integration that uses HashiCorp Vault to store secrets.

When to use it

You should use the HashiCorp Vault secrets manager if:
  • a component of your stack requires a secret for authentication, or you want to use secrets inside your steps.
  • you're already using HashiCorp Vault to store your secrets or want a self-hosted secrets solution.

How to deploy it

To get started with this secrets manager, you need to either:
Once you decided and finished setting up one of the two solutions, you need to enable the KV Secrets Engine - Version 2.

How to use it

To use the Vault secrets manager, we need:
  • The ZenML vault integration installed. If you haven't done so, run
    zenml integration install vault
  • The Vault server URL and KV Secrets Engine v2 endpoint.
  • A client token to authenticate with the Vault server. Follow this tutorial to generate one.
We can then register the secrets manager and use it in our active stack:
zenml secrets-manager register <NAME> \
--flavor=vault \
--token=<VAULT_TOKEN> \
# Add the secrets manager to the active stack
zenml stack update -x <NAME>
You can use secret scoping with the Vault Secrets Manager to manage multiple Secrets Manager namespaces on top of a single Vault service instance.
A concrete example of using the HashiCorp Vault secrets manager can be found here.
For more information and a full list of configurable attributes of the HashiCorp Vault secrets manager, check out the API Docs.