Vault Source Plugin

Latest: v1.0.5

The CloudQuery Vault plugin pulls data from Vault and loads it into any supported CloudQuery destination (e.g. PostgreSQL, BigQuery, Snowflake, and more).

Authentication

The plugin needs to be authenticated in order to sync information from your Vault server.

The plugin requires only read permissions (we will never make any changes to your vault server), so, following the principle of least privilege, it's recommended to grant it read-only permissions.

In order for CloudQuery to sync resources from your Vault server, you will need to obtain a Vault Token (opens in a new tab) and configure the VAULT_TOKEN environment variable.

Example

This example syncs from Vault to a Postgres destination. The (top level) source spec section is described in the Source Spec Reference.

kind: source
# Common source-plugin configuration
spec:
  name: vault
  path: cloudquery/vault
  version: "v1.0.5"
  tables: ["*"]
  destinations: ["postgresql"]
  # Vault specific configuration
  spec:
    vault_address: "<YOUR_VAULT_ADDRESS_HERE>"
#    concurrency: 1000

Configuration Reference

This is the (nested) spec used by the Vault source plugin:

vault_address (string, required*): The is the address of the Vault server. This should be a complete URL (including the port) such as "http://localhost:8200"
concurrency (integer, optional. Default: 10000): Maximum number of concurrent requests to the Vault server.

Query Examples

List the current auth methods with lease times

SELECT 
  path, type, config->'default_lease_ttl' as default_lease_ttl, config->'max_lease_ttl' as max_lease_ttl 
FROM 
  vault_sys_auths;

Tables Tables