Public | Automated Build

Last pushed: a year ago
Short Description
Full Description

Vault Resource

Reads secrets from Vault.
It can also use the app-id method to authenticate.

It reads the value from path and puts it in a file that matches the path.

Source Configuration

  • url: Optional. The location of the Vault server. Defaults to https://vault.service.consul:8200.

  • role: Optional. The role to authenticate as. Defaults to concourse.

  • nonce: Optional. Client nonce whitelisted by Vault for this EC2 auth. Defaults to vault-concourse-nonce, which should probably be changed.

  • paths: Optional. If specified (as a list of glob patterns), only changes
    to the specified files will yield new versions from check.

  • expose_token: Optional. If specified, this option will expose the token to make it available to other resources

  • auth_method: Optional. By default will use the aws-ec2 method. If AppRole is specified, it will read the role_id and secret_id parameter to authenticate on the approle endpoint.

  • role_id: Optional. Use a specific role id to authenticate. This parameter is used only with auth_method: AppRole.

  • secret_id: Optional. Use a specific secret id to authenticate. This parameter is used only with auth_method: AppRole.

  • tls_skip_verify: Optional. Skips Vault SSL verification by exporting


Resource configuration using app-id authentication:

Add resource_types to your config:

- name: vault
  type: docker-image
    repository: gwelican/vault-secret
    tag: latest
- name: vault
  type: vault
    app_id: app_id
    user_id: user_id

Fetching secrets:

- get: vault
      - secret/build/git
      - secret/build/aws/s3


check: Check for new versions.

Essentially a noop, the current date is always returned as {"date": "$DATE"}

in: Read secrets from Vault

Reads secrets from Vault and stores them on disk as JSON files.

The path of the secret will match the path on disk - ie in the example above, vault/build/git.json and vault/build/aws/s3.json will be created.


  • paths: Required. List of paths to read from the Vault secret mount.
Docker Pull Command
Source Repository