Store secrets in Vault
This page documents an earlier version of InfluxDB. InfluxDB v2.7 is the latest stable version. View this page in the v2.7 documentation.
Vault secures, stores, and controls access to tokens, passwords, certificates, and other sensitive secrets. Store sensitive secrets in Vault using InfluxDB’s built-in Vault integration.
To store secrets in Vault, complete the following steps:
- Start a Vault server.
- Provide Vault server address and token.
- Start InfluxDB.
- Manage secrets through the InfluxDB API.
Start a Vault server
Start a Vault server and ensure InfluxDB has network access to the server.
The following links provide information about running Vault in both development and production:
InfluxDB supports the Vault KV Secrets Engine Version 2 API only. When you create a secrets engine, enable the kv-v2
version by running:
vault secrets enable kv-v2
For this example, install Vault on your local machine and start a Vault dev server.
vault server -dev
Provide Vault server address and token
Use influxd
Vault-related tags or Vault environment variables to provide connection credentials and other important Vault-related information to InfluxDB.
Required credentials
Vault address
Provide the API address of your Vault server (available in the Vault server output) using the --vault-addr flag when starting influxd
or with the VAULT_ADDR
environment variable.
Vault token
Provide your Vault token (required to access your Vault server) using the --vault-token flag when starting influxd
or with the VAULT_TOKEN
environment variable.
Your Vault server configuration may require other Vault settings.
Start InfluxDB
Start the influxd service with the --secret-store
option set to vault
any other necessary flags.
influxd --secret-store vault \
--vault-addr=http://127.0.0.1:8200 \
--vault-token=s.0X0XxXXx0xXxXXxxxXxXxX0x
influxd
includes the following Vault configuration options. If set, these flags override any Vault environment variables:
--vault-addr
--vault-cacert
--vault-capath
--vault-client-cert
--vault-client-key
--vault-max-retries
--vault-client-timeout
--vault-skip-verify
--vault-tls-server-name
--vault-token
For more information, see InfluxDB configuration options.
Manage secrets through the InfluxDB API
Use the InfluxDB /org/{orgID}/secrets
API endpoint to add tokens to Vault. For details, see Manage secrets.