HashiCorp Vault pipeline integration

Use secrets from Vault in Codefresh pipelines

Codefresh can use secrets from your HashiCorp Vault installation. This way you have full control over secret storage and rotation.

This feature is for Enterprise accounts only.


  • Up and running Vault instance
    Codefresh supports HashiCorp Cloud Platform (HCP) Vault and self-managed Vault instances that run on the cloud, as well as behind the firewall (albeit with some differences in the authentication methods).

  • Authentication method to use.
    Codefresh supports the following methods:

Method Notes
Username/Password Available for SaaS and Hybrid versions
Access Token Available for SaaS and Hybrid versions
Kubernetes Only available with Codefresh Runner installation
Google Cloud Engine Only available with Codefresh Runner installation
App Role Available for SaaS and hybrid version with Runner

Set up HashiCorp Vault integration in the Codefresh UI

The name assigned to the integration must be unique within the account. Using the same name for other integrations or Shared Configuration contexts within pipelines will result in conflicts.
For troubleshooting, see Error: context already exists.

  1. In the Codefresh UI, on the toolbar, click the Settings icon, and then from the sidebar, select Pipeline Integrations.
  2. Select Secret Store and then click Configure.
  3. From the Add Provider dropdown, select Hashicorp vault.
  4. Do the following:
    • Name: A unique name for the integration which is referenced in codefresh.yaml.
    • If your Vault instance is behind a firewall, toggle Vault is behind a firewall to ON.
    • To allow only Codefresh admins to change the Vault configuration, toggle Allow access to all users to OFF.

      The other settings are specific to your Vault authentication method. Refer to the Vault documentation on how to get the required values.

HashiCorp-vault Secret

HashiCorp-vault Secret
  1. To apply the changes, click Save.

Set up HashiCorp Vault integration via Codefresh CLI

You can also create Vault integrations with the Codefresh CLI through the create context command.

The options available are identical to the UI settings.
For example, to create an integration with user/password authentication, you would run this command:

codefresh create context secret-store hashicorp-vault <my-integration> --sharing-policy AccountAdmins -app-url <http://vault.example.com> --username <my-user> --password <my-password>
<!— where:

  • is the name of the integration which is referenced in `codefresh.yaml`.
  • is the name of the integration which is referenced in `codefresh.yaml`. -->

Using the HashiCorp Vault secret

To use the Vault secrets in pipelines, see secrets for pipelines.
Because a secret in Vault can contain multiple key-value pairs, you will need to put in the key name as well, according to the syntax {secrets.vault-store-name.path/to/secret@key}.

Shared Configuration
Git integration for pipelines
Kubernetes integration for pipelines
Container registry integration for pipelines