• Infrastructure
    • terraform
    • packer
  • Networking
    • consul
  • Security
    • vault
    • boundary
  • Applications
    • nomad
    • waypoint
    • vagrant
  • HashiCorp Cloud Platform

    A fully managed platform to automate infrastructure on any cloud with HashiCorp products.

    • consul
    • terraform
    • vault
    • packerbeta
    Visit cloud.hashicorp.com
  • Overview
  • Tutorials
  • Docs
  • Plugins
  • Community
GitHubInstall PackerTry HCP Packer
    • v1.8.x (latest)
    • v1.7.x
    • v1.6.x
    • v1.5.x

  • Terminology
    • Overview
    • init
      • Overview
      • install
      • installed
      • remove
      • required
    • build
    • console
    • fix
    • fmt
    • inspect
    • validate
    • hcl2_upgrade
    • Overview
      • Overview
        • Overview
          • Overview
          • hcp_packer_registry
          • source
          • provisioner
          • post-processor
          • post-processors
        • locals
        • source
        • variable
        • packer
        • data
        • Overview
          • aws_secretsmanager
          • consul
          • env
          • vault
          • abs
          • ceil
          • floor
          • log
          • max
          • min
          • parseint
          • pow
          • signum
          • chomp
          • format
          • formatlist
          • indent
          • join
          • lower
          • replace
          • regex_replace
          • regex
          • regexall
          • split
          • strrev
          • substr
          • title
          • trim
          • trimprefix
          • trimsuffix
          • trimspace
          • upper
          • chunklist
          • coalesce
          • coalescelist
          • compact
          • concat
          • contains
          • distinct
          • element
          • flatten
          • index
          • keys
          • length
          • lookup
          • merge
          • range
          • reverse
          • setintersection
          • setproduct
          • setunion
          • slice
          • sort
          • values
          • zipmap
          • base64decode
          • base64encode
          • csvdecode
          • jsondecode
          • jsonencode
          • urlencode
          • yamldecode
          • yamlencode
          • abspath
          • basename
          • dirname
          • file
          • fileexists
          • fileset
          • pathexpand
          • templatefile
          • formatdate
          • timeadd
          • timestamp
          • legacy_isotime
          • legacy_strftime
          • bcrypt
          • md5
          • rsadecrypt
          • sha1
          • sha256
          • sha512
          • uuidv4
          • uuidv5
          • cidrhost
          • cidrnetmask
          • cidrsubnet
          • cidrsubnets
          • can
          • convert
          • try
      • Variables
      • Locals
      • Contextual Variables
      • Data Sources
      • Path Variables
      • Syntax
      • Only Except
      • Expressions
      • JSON Syntax
      • Overview
      • Builders
      • Communicators
      • Engine
      • Post-Processors
      • Provisioners
      • User Variables

    • Overview
    • SSH
    • WINRM
    • Overview
    • File
    • Null
    • Custom
    • Community-Supported
    • Overview
      • Overview
      • Iteration
      • Image
      • Image-Deprecated
    • Http
    • Overview
    • Breakpoint
    • File
    • PowerShell
    • Shell
    • Shell (Local)
    • Windows Shell
    • Windows Restart
    • Custom
    • Community-Supported
    • Overview
    • Artifice
    • Compress
    • Checksum
    • Manifest
    • Shell (Local)
    • Community-Supported
  • External Plugins

  • Installing Packer
  • Configuring Packer

    • Overview
      • Overview
      • Custom Builders
      • Custom Post-Processors
      • Custom Provisioners
      • Custom Data Sources
    • HCP Packer Support
  • Integration Program

  • Debugging
  • HCP Packer
Type '/' to Search

»vault Function

Secrets can be read from Vault and used within your template as user variables. the vault function is available only within the default value of a user variable, allowing you to default a user variable to a vault secret.

An example of using a v2 kv engine:

If you store a value in vault using vault kv put secret/hello foo=world, you can access it using the following:

locals {
    foo = vault("/secret/data/hello", "foo")
}
locals {
    foo = vault("/secret/data/hello", "foo")
}

which will assign local.foo with the value "world"

An example of using a v1 kv engine:

If you store a value in vault using:

vault secrets enable -version=1 -path=secrets kv
vault kv put secrets/hello foo=world
vault secrets enable -version=1 -path=secrets kv
vault kv put secrets/hello foo=world

You can access it using the following:

locals {
    foo = vault("secrets/hello", "foo")
}
locals {
    foo = vault("secrets/hello", "foo")
}

This example accesses the Vault path secret/foo and returns the value stored at the key foo, storing it as the local variable local.foo.

If the Vault secret contains a highly sensitive value the local block, not to be confused with the locals block, can be used to mark the value as sensitive.

local "foo" {
    expression = vault("secrets/hello", "foo")
    sensitive  = true
}

The `local` block example accesses the Vault path `secrets/foo` and returns the value
stored at the key `foo`, storing it as the local variable `local.foo`. However, the output of
the newly stored local variable will be filtered from the Packer build output, and replaced
with the value '<sensitive>'. See [Local Values](/docs/templates/hcl_templates/locals) for more details.


## Usage

In order for the Vault function to work, you must set the environment variables `VAULT_TOKEN`
and `VAULT_ADDR` to valid values.

-> **NOTE:** HCL functions can be used in local variable definitions or inline
with a provisioner/post-processor. They cannot be used in global variable definitions.

The api tool we use allows for more custom configuration of the Vault client via
environment variables.

The full list of available environment variables is:

```text
"VAULT_ADDR"
"VAULT_AGENT_ADDR"
"VAULT_CACERT"
"VAULT_CAPATH"
"VAULT_CLIENT_CERT"
"VAULT_CLIENT_KEY"
"VAULT_CLIENT_TIMEOUT"
"VAULT_SKIP_VERIFY"
"VAULT_NAMESPACE"
"VAULT_TLS_SERVER_NAME"
"VAULT_WRAP_TTL"
"VAULT_MAX_RETRIES"
"VAULT_TOKEN"
"VAULT_MFA"
"VAULT_RATE_LIMIT"
local "foo" {
    expression = vault("secrets/hello", "foo")
    sensitive  = true
}

The `local` block example accesses the Vault path `secrets/foo` and returns the value
stored at the key `foo`, storing it as the local variable `local.foo`. However, the output of
the newly stored local variable will be filtered from the Packer build output, and replaced
with the value '<sensitive>'. See [Local Values](/docs/templates/hcl_templates/locals) for more details.


## Usage

In order for the Vault function to work, you must set the environment variables `VAULT_TOKEN`
and `VAULT_ADDR` to valid values.

-> **NOTE:** HCL functions can be used in local variable definitions or inline
with a provisioner/post-processor. They cannot be used in global variable definitions.

The api tool we use allows for more custom configuration of the Vault client via
environment variables.

The full list of available environment variables is:

```text
"VAULT_ADDR"
"VAULT_AGENT_ADDR"
"VAULT_CACERT"
"VAULT_CAPATH"
"VAULT_CLIENT_CERT"
"VAULT_CLIENT_KEY"
"VAULT_CLIENT_TIMEOUT"
"VAULT_SKIP_VERIFY"
"VAULT_NAMESPACE"
"VAULT_TLS_SERVER_NAME"
"VAULT_WRAP_TTL"
"VAULT_MAX_RETRIES"
"VAULT_TOKEN"
"VAULT_MFA"
"VAULT_RATE_LIMIT"

and detailed documentation for usage of each of those variables can be found here.

github logoEdit this page
IntroGuidesDocsCommunityPrivacySecurityPress KitConsent Manager