Comment on page

HashiCorp Vault Secrets Manager

How to store secrets in HashiCorp Vault

This is an older version of the ZenML documentation. To read and view the latest version please visit this up-to-date URL.
The HashiCorp Vault secrets manager is a secrets manager flavor provided with the ZenML vault integration that uses HashiCorp Vault to store secrets.
When to use it
You should use the HashiCorp Vault secrets manager if:
a component of your stack requires a secret for authentication or you want to use secrets inside your steps.
you're already using HashiCorp Vault to store your secrets or want a self-hosted secrets solution.
How to deploy it
To get started with this secrets manager, you need to either:
​self-host a Vault server​
​register for the managed HashiCorp Cloud Platform Vault​
Once you decided and finished setting up one of the two solutions, you need to enable the KV Secrets Engine - Version 2.
How to use it
To use the Vault secrets manager, we need:
The ZenML vault integration installed. If you haven't done so, run
zenml integration install vault
The Vault server URL and KV Secrets Engine v2 endpoint.
A client token to authenticate with the Vault server. Follow this tutorial to generate one.
We can then register the secrets manager and use it in our active stack:
zenml secrets-manager register <NAME> \
    --flavor=vault \
    --url=<VAULT_SERVER_URL> \
    --token=<VAULT_TOKEN> \
    --mount_point=<PATH_TO_KV_V2_ENGINE>
​
# Add the secrets manager to the active stack
zenml stack update -x <NAME>
You can now register, update or delete secrets using the CLI or fetch secret values inside your steps.
You can use secret scoping with the Vault Secrets Manager to manage multiple Secrets Manager namespaces on top of a single Vault service instance.
A concrete example of using the HashiCorp Vault secrets manager can be found here.
For more information and a full list of configurable attributes of the HashiCorp Vault secrets manager, check out the API Docs.

Last modified 1mo ago