Skip to main content
  1. Docs
  2. Secrets & Configuration
  3. Providers
  4. Secrets & config
  5. vault-secrets

vault-secrets

    The vault-secrets provider enables you to dynamically import Secrets from HashiCorp Vault into your Environment. The provider will return a map of names to Secrets.

    Example

    values:
      vault:
        login:
          fn::open::vault-login:
            address: https://127.0.0.1:8200/
            jwt:
              role: example-role
        secrets:
          fn::open::vault-secrets:
            login: ${vault.login}
            read:
              api-key:
                path: api-key
                # Read a single field so the output is a scalar value
                field: value
              app-secret:
                path: app-secret
                field: value
      pulumiConfig:
        apiKey: ${vault.secrets.api-key}
        appSecret: ${vault.secrets.app-secret}
    

    Schema reference

    Reference schemas last updated on 2026-07-11, synced automatically from the Pulumi Cloud ESC API.

    Inputs

    • login VaultSecretsLogin required
      Credentials used to log in to HashiCorp Vault.
    • address string required
      The URL of the vault server.
    • namespace string optional
      The namespace to use for the session.
    • token string required
      The ephemeral token generated for the session.
    • read map[string]VaultSecretsRead required
      A map from names to paths to read from the server. The outputs will map each name to the raw data for the value.
    • field string optional
      The field of the value to read.
    • path string required
      The path to read.

    Outputs

    A map from names to raw values as read from the server.

    Type: map[string]any

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Vault, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:

    • pulumi env open <org>/<project>/<environment> command of the Pulumi CLI
    • pulumi env open <org>/<project>/<environment> command of the Pulumi CLI

    Make sure to replace <org>, <project>, and <environment> with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following:

    {
      "vault": {
        "login": {
          "address": "***",
          "token": "***"
        },
        "secrets": {
          "test1": {
            "data": {
              "keyA": "valA",
              "keyB": "valB"
            },
            "metadata": {
              "created_time": "2023-11-06T18:24:05.784222Z",
              "custom_metadata": null,
              "deletion_time": "",
              "destroyed": false,
              "version": 1
            }
          }
        }
      }
    }