# Vault configuration

The integration will store secrets in the vault KV Secrets Engine - Version 2 (opens new window). Kestra authentications must have full read & write policies (opens new window) on this secrets store. You can optionally change root-engine or namespace (if you are using Vault Enterprise).

# Authentication

# Password authentification

We can use a Userpass Auth Method (opens new window) using the following configuration:

kestra:
  secret:
    type: vault
    vault:
      address: "http://localhostt:8200"
      password:
        user: john
        password: foo

# Token authentification

We can use a Token Auth Method (opens new window) using the following configuration:

kestra:
  secret:
    type: vault
    vault:
      address: "http://localhostt:8200"
      token:
        token: your-secret-token

# AppRole authentification

We can use an AppRole Auth Method (opens new window) using the following configuration:

kestra:
  secret:
    type: vault
    vault:
      address: "http://localhostt:8200"
      app-role:
        path: approle
        role-id: your-role-id
        secret-id: your-secret-id

# Others configurations

# kestra.secret.vault.address

The fully qualified address with scheme & port to your vault instance.

# kestra.secret.vault.namespace

Optional. Sets a global namespace to the Vault server instance. Namespace support requires Vault Enterprise Pro (opens new window)

# kestra.secret.vault.engine-version

Optional. Sets the KV Secrets Engine version of the Vault server instance. Default is 2

# kestra.secret.vault.root-engine

Optional. Sets the KV Secrets Engine of the Vault server instance. Default is secret