HashiCorp Vault

Use this provider when your organization already runs Vault and wants secret operations through KV v2.

Environment Variables

Variable	Required	Notes
`SECRETS_MANAGER_TYPE`	Yes	Set to `hashicorp_vault`.
`SECRETS_MANAGER_VAULT_ADDRESS`	Yes	Vault address, for example `https://vault.example.com`.
`SECRETS_MANAGER_VAULT_TOKEN`	Conditionally required	Use token auth, or use AppRole instead.
`SECRETS_MANAGER_VAULT_ROLE_ID`	Conditionally required	Required with `SECRETS_MANAGER_VAULT_SECRET_ID` for AppRole auth.
`SECRETS_MANAGER_VAULT_SECRET_ID`	Conditionally required	Required with `SECRETS_MANAGER_VAULT_ROLE_ID` for AppRole auth.
`SECRETS_MANAGER_VAULT_NAMESPACE`	Optional	Vault Enterprise namespace.
`SECRETS_MANAGER_VAULT_MOUNT_PATH`	Optional	KV v2 mount path. Defaults to `secret`.

Authentication behavior:

If SECRETS_MANAGER_VAULT_TOKEN is set, token auth is used.
Otherwise, ROLE_ID + SECRET_ID are required for AppRole login.

Create Vault Resources and Credentials

Ensure a KV v2 engine exists (example mount secret):

vault secrets enable -path=secret kv-v2

Create a policy for wonderful-secrets (example wonderful-secrets-policy):

path "secret/data/*" {
  capabilities = ["create", "read", "update"]
}

path "secret/metadata/*" {
  capabilities = ["delete"]
}

Choose auth mode:

Token mode:

vault token create -policy=wonderful-secrets-policy

AppRole mode:

vault auth enable approle
vault write auth/approle/role/wonderful-secrets token_policies="wonderful-secrets-policy"
vault read auth/approle/role/wonderful-secrets/role-id
vault write -f auth/approle/role/wonderful-secrets/secret-id

Collect values:
- Vault address from VAULT_ADDR or your Vault endpoint.
- Mount path (secret in the example above).
- Token or AppRole credentials.
- Namespace if running Vault Enterprise.

Map Credentials to Env Vars

Vault value	Env var
Vault address	`SECRETS_MANAGER_VAULT_ADDRESS`
Token	`SECRETS_MANAGER_VAULT_TOKEN`
AppRole Role ID	`SECRETS_MANAGER_VAULT_ROLE_ID`
AppRole Secret ID	`SECRETS_MANAGER_VAULT_SECRET_ID`
Namespace	`SECRETS_MANAGER_VAULT_NAMESPACE`
KV v2 mount path	`SECRETS_MANAGER_VAULT_MOUNT_PATH`

Local Switch Example

# env_files/secrets.env
SECRETS_MANAGER_TYPE=hashicorp_vault
SECRETS_MANAGER_VAULT_ADDRESS=https://vault.example.com
SECRETS_MANAGER_VAULT_TOKEN=<token>
SECRETS_MANAGER_VAULT_MOUNT_PATH=secret
# Optional
# SECRETS_MANAGER_VAULT_NAMESPACE=<namespace>

Restart wonderful-secrets after changing these values.

What to Verify

Ensure the mount path is KV v2.
Run the smoke test from Secret Managers.
Confirm secrets are written under the configured KV v2 mount.

Overview

SDK

Contact Center

Developer Documentation

Environment Variables

Create Vault Resources and Credentials

Map Credentials to Env Vars

Local Switch Example

What to Verify

Overview

SDK

Contact Center

Developer Documentation

​Environment Variables

​Create Vault Resources and Credentials

​Map Credentials to Env Vars

​Local Switch Example

​What to Verify

Environment Variables

Create Vault Resources and Credentials

Map Credentials to Env Vars

Local Switch Example

What to Verify