1. Resources
  2. /
  3. Plugins
  4. /
  5. vault-key-value-buildkite-plugin

Vault Key/Value Buildkite Plugin

LintingTests
Build status-

This plugin enables pipelines to use secrets from a Hashicorp Vault instance (Key/Value Secrets Engine) as environment variables.

Pipeline steps can define multiple secrets that should be provided as environment variables to the subsequent hooks. Secrets have to be specified by their path and their key.

To authorize the access to Vault, this plugin provides 2 methods:

  • Use a preexisting token environment variable (VAULT_TOKEN). This could be injected by an agent environment hook for example.
  • Use a token that was written to a file. This is the appropriate method to authorize if you use the Vault Agent’s auto-auth method to keep a valid token on the build agent. To use this method, you have to specify the path to the token file using the plugin parameter token_file_path or using the environment variable BUILDKITE_PLUGIN_VAULT_KEY_VALUE_TOKEN_FILE_PATH.

In a pre-exit hook, this plugin also removes the exported environment variables, including VAULT_TOKEN.

Example

Single secret example

steps:
  - command: 'curl -H "Authorization: Bearer $API_ACCESS_TOKEN" https://api.example.com'
    plugins:
      - adabay/vault-key-value#v0.9.5:
          secret_path: "static/api_access_token"
          secret_key: "token"
          exported_env_variable_name: "API_ACCESS_TOKEN"

Multiple secrets example

steps:
  - command: 'echo $DOCKER_PASSWORD | docker login --username $DOCKER_USERNAME --password-stdin'
    plugins:
      - adabay/vault-key-value#v0.9.5:
          secrets:
          - secret_path: "static/docker/registry1"
            secret_key: "username"
            exported_env_variable_name: "DOCKER_USERNAME"
          - secret_path: "static/docker/registry1"
            secret_key: "password"
            exported_env_variable_name: "DOCKER_PASSWORD"

Configuration

token_file_path (string)

Use this parameter to specify the path to the file where the Vault Agent writes the token to. If not specified, the preexisting environment variable VAULT_TOKEN is used to authorize requests to Vault.

secrets (array)

If you want to export multiple secrets, you can use this array. Each entry in this array has to have the configuration properties that are listed below.

secret_path (string)

This parameter defines the path of a secret. If you only want to export a single secret, you can specify this parameter at the top-level of the plugin configuration (See single secret example). Otherwise, specify it for each entry in the secrets array.

secret_key (string)

Since there can be multiple key/value entries in a single secret, you have to specify the key of the entry that you want to export. This is done using this configuration parameter. If you only want to export a single secret, you can specify this parameter at the top-level of the plugin configuration (See single secret example). Otherwise, specify it for each entry in the secrets array.

exported_env_variable_name (string)

With this parameter you can define the name of the environment variable that you want to set to the value of the secret entry. If you only want to export a single secret, you can specify this parameter at the top-level of the plugin configuration (See single secret example). Otherwise, specify it for each entry in the secrets array.

Developing

To run the linter:

docker run -it --rm -v "${PWD}:/plugin:ro" buildkite/plugin-linter --id adabay/vault-key-value

The plugins listed on this webpage are provided for informational purposes only. They have not undergone any formal security review or assessment. While we strive to provide useful resources, we cannot guarantee the safety, reliability, or integrity of these plugins. Users are strongly advised to conduct their own security evaluations before downloading, installing, or using any plugin. By using these plugins, you acknowledge and accept any risks associated with their use. We disclaim any liability for any harm or damages arising from the use of the plugins listed.

Start turning complexity into an advantage

Create an account to get started with a 30-day free trial. No credit card required.

Buildkite Pipelines

Platform

  1. Pipelines
  2. Pipeline templates
  3. Public pipelines
  4. Test Engine
  5. Package Registries
  6. Mobile Delivery Cloud
  7. Pricing

Hosting options

  1. Self-hosted agents
  2. Mac hosted agents
  3. Linux hosted agents

Resources

  1. Docs
  2. Blog
  3. Changelog
  4. Webinars
  5. Plugins
  6. Case studies
  7. Events
  8. Migration Services
  9. Comparisons

Company

  1. About
  2. Careers
  3. Press
  4. Brand assets
  5. Contact

Solutions

  1. Replace Jenkins
  2. Workflows for AI/ML
  3. Testing at scale
  4. Monorepo mojo
  5. Bazel orchestration

Legal

  1. Terms of Service
  2. Acceptable Use Policy
  3. Privacy Policy
  4. Subprocessors
  5. Service Level Agreement

Support

  1. System status
  2. Forum
© Buildkite Pty Ltd 2025