Secrets sync
This feature requires Vault Enterprise(opens in new tab).
Beta feature
Beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production deployments of Vault
In certain circumstances, fetching secrets directly from Vault is impossible or impractical. To help with this challenge, Vault can maintain a one-way sync for KVv2 secrets into various destinations that are easier to access for some clients. With this, Vault remains the system of records but can cache a subset of secrets on various external systems acting as trusted last-mile delivery systems.
A secret that is associated from a Vault KVv2 Secrets Engine into an external destination is actively managed by a continuous process. If the secret value is updated in Vault, the secret is updated in the destination as well. If the secret is deleted from Vault, it is deleted on the external system as well. This process is asynchronous and event-based. Vault propagates modifications into the proper destinations automatically in a handful of seconds.
Destinations
Secrets can be synced into various external systems, called destinations. The supported destinations are:
Associations
Syncing a secret into one of the external systems is done by creating a connection between it and a destination, which is called an association. These associations are created via Vault's API by adding a KVv2 secret target to one of the configured destinations. Each association keeps track of that secret's current sync status, the timestamp of its last status change, and the error code of the last sync or unsync operation if it failed. Each destination can have any number of secret associations.
Sync statuses
There are several sync statuses which relay information about the outcome of the latest sync operation to have occurred on that secret. The status information is stored inside each association object returned by the endpoint and, upon failure, includes an error code describing the cause of the failure.
Status | Description |
---|---|
UNKNOWN | Vault is unable to determine the current state of the secret in regard to the external service. |
PENDING | An operation is queued for that secret and has not been processed yet. |
SYNCED | The sync operation was successful and sent the secret to the external destination. |
UNSYNCED | The unsync operation was successful and removed the secret from the external destination. |
INTERNAL_VAULT_ERROR | The operation failed due to an issue internal to Vault. |
CLIENT_SIDE_ERROR | The operation failed due to a configuration error such as invalid privileges. |
EXTERNAL_SERVICE_ERROR | The operation failed due to an issue with the external service such as a temporary downtime. |
Name template
By default, the name of synced secrets follows this format: vault/<accessor>/<secret-path>
. The casing and delimiters
may change according to the valid character set of each destination type. This pattern was chosen to prevent accidental
name collisions and to clearly identify where the secret is coming from.
Every destination allows you to customize this name pattern by configuring a secret_name_template
field to best suit
individual use cases. The templates use a subset of the go-template syntax for extra flexibility.
The following placeholders are available:
Placeholder | Description |
---|---|
DestinationType | The type of the destination, e.g. "aws-sm" |
DestinationName | The name of the destination |
NamespacePath | The full namespace path where the secret being synced is located |
NamespaceBaseName | The segment following the last / character from the full path |
NamespaceID | The internal unique ID identifying the namespace, e.g. RQegM |
MountPath | The full mount path where the secret being synced is located |
MountBaseName | The segment following the last / character from the full path |
MountAccessor | The internal unique ID identifying the mount, e.g. kv_1234 |
SecretPath | The full secret path |
SecretBaseName | The segment following the last / character from the full path |
SecretKey | The individual secret key being synced, only available if the destination uses the secret-key granularity |
Let's assume we want to sync the following secret:
Let's look at some name template examples and the resulting secret name at the sync destination.
Name template | Result |
---|---|
prefix-{{ .SecretPath }} | prefix-path/to/secret1 |
{{ .SecretBaseName | uppercase }} | SECRET1 |
{{ .MountAccessor }}_{{ .SecretKey }} | kv_1234_foo |
{{ .SecretPath | replace \"/\" \"_\" }} | path_to_secret1 |
Name templates can be updated. The new template is only effective for new secrets associated with the destination and does not affect the secrets synced with the previous template. It is possible to update an association to force a recreate operation. The secret synced with the old template will be deleted and a new secret using the new template version will be synced.
Sync granularity
Vault KV-v2 secrets are multi-value and their data is represented in JSON. Multi-value secrets are useful to bundle closely
related information together like a username & password pair. However, most secret management systems only support single-value
entries. Secrets sync allows you to choose the granularity that best suits your use case for each destination by specifying a granularity
field.
The secret-path
granularity syncs the entire JSON content of the Vault secret as a single entry at the destination. If
the destination does not support multi-value secret the JSON is encoded as a single-value JSON-string.
The secret-key
granularity syncs each Vault key-value pair as a distinct entry at the destination. If the value itself is a list or map
it is encoded as a JSON blob.
Granularity can be updated. The new granularity only affects secrets newly associated with the destination and does not modify the previously synced secrets. It is possible to update an association to force a recreate operation. The secret synced with the old granularity will be deleted and new secrets will be synced according to the new granularity.
API
Please see the secrets sync API for more details.