Skip to main content

vault: Interacting with HashiCorp Vault

The vault functions allow you to interact with HashiCorp Vault in a more direct, request-oriented manner than the EKM plugin.


Example usage

If the secret secret/this/is/a/test stored in vault is a single key-value pair of foo=bar, then this could be queried as follows:

secret := vault.send({
"address": "",
"token": "devonlytoken",
"kv2_get": {
"mount_path": "secret",
"path": "this/is/a/test"
}) # => {"data": {"foo": "bar"}}


addressStringYesAddress of Vault server to send request to.
tokenStringYesToken to use for authentication.
cacheBoolNofalseCache the results of queries.
cache_durationIntegerNo60Duration (in seconds) to keep cached query results.
raise_errorBoolNotrueSee Errors


By default—and if raise_error is true—then an error returned will halt policy evaluation.

If raise_error is false, then the response object contains the error in an error key instead of its usual response.

"error": ...

Utility methods

Enterprise OPA comes with helper methods for using this builtin, and take its configuration from the environment variables VAULT_ADDRESS and VAULT_TOKEN: vault.secret and vault.secret_opts.

Both of these methods are available in Enterprise OPA at data.system.eopa.utils.vault.v1.env.

package example
import data.system.eopa.utils.vault.v1.env as vault

example_1 := vault.secret("secret/this/is/a/secret") # => {"foo": "bar"}

If you need to override the address or token and still want to use the convenient wrapper, use this:

package example
import data.system.eopa.utils.vault.v1.env as vault

vault_secret(path) := result {
result := vault.secret(path)
with vault.override.address as "localhost"
with vault.override.token as "dev-token-2"

example_2 := vault_secret("secret/this/is/a/secret")

Full control over the caching and error raising behavior is exposed via secret_opts:

package example
import data.system.eopa.utils.vault.v1.env as vault

example_3 := vault.secret_opts("a/b/c/d", {"cache": true, "cache_duration": "10s", "raise_error": false})