Plugin management
External plugins are the components in Vault that can be implemented separately from Vault's built-in plugins. These plugins can be either authentication or secrets engines.
The api_addr
must be set in order for the plugin process to
establish communication with the Vault server during mount time. If the storage
backend has HA enabled and supports automatic host address detection (e.g.
Consul), Vault will automatically attempt to determine the api_addr
as well.
Detailed information regarding the plugin system can be found in the internals documentation.
Registering external plugins
Before an external plugin can be mounted, it needs to be registered in the plugin catalog to ensure the plugin invoked by Vault is authentic and maintains integrity:
Enabling/Disabling external plugins
After the plugin is registered, it can be mounted by specifying the registered plugin name:
Listing secrets engines will display secrets engines that are mounted as plugins:
Disabling an external plugins is identical to disabling a built-in plugin:
Upgrading plugins
Upgrade instructions can be found in the Upgrading Plugins - Guides page.