HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

You are viewing documentation for version v1.12.x. View latest version.

Plugin management

External plugins are the components in Vault that can be implemented separately from Vault's built-in plugins. These plugins can be either authentication or secrets engines.

The api_addr must be set in order for the plugin process to establish communication with the Vault server during mount time. If the storage backend has HA enabled and supports automatic host address detection (e.g. Consul), Vault will automatically attempt to determine the api_addr as well.

Detailed information regarding the plugin system can be found in the internals documentation.

Registering external plugins

Before an external plugin can be mounted, it needs to be registered in the plugin catalog to ensure the plugin invoked by Vault is authentic and maintains integrity:

$ vault plugin register -sha256=<SHA256 Hex value of the plugin binary> \
    secret \                  # type
    passthrough-plugin

Success! Registered plugin: passthrough-plugin

Enabling/Disabling external plugins

After the plugin is registered, it can be mounted by specifying the registered plugin name:

$ vault secrets enable -path=my-secrets passthrough-plugin
Success! Enabled the passthrough-plugin secrets engine at: my-secrets/

Listing secrets engines will display secrets engines that are mounted as plugins:

$ vault secrets list
Path         Type       Accessor            Plugin              Default TTL  Max TTL  Force No Cache  Replication Behavior  Description
my-secrets/  plugin     plugin_deb84140     passthrough-plugin  system       system   false           replicated

Disabling an external plugins is identical to disabling a built-in plugin:

$ vault secrets disable my-secrets

Upgrading plugins

Upgrade instructions can be found in the Upgrading Plugins - Guides page.