Build custom Vault plugins
All Vault auth methods and secrets engines are considered plugins. This simple concept allows both built-in and external plugins to be treated like Legos, and enabled at multiple paths.
This tutorial walks through the basic steps to build, register, and enable external plugins.
Note
See the Vault Integrations page to find a curated collection of official, partner, and community Vault plugins.
Plugins utilize the plugin system to enable third-party secrets engines and auth methods.
It is worth noting that even though database secrets engines operate under the same underlying plugin mechanism, they are slightly different in design than plugins demonstrated in this tutorial. The database secrets engine manages multiple plugins under the same backend mount point, whereas plugins are key-value backends that function as either secret or auth methods.
Tutorial setup
For the demonstration, this tutorial walks through the mock plugins available in the
hashicorp-education/learn-vault-plugins
GitHub repository.
Clone the hashicorp-education/learn-vault-plugins
repository.
Or download the repository.
Deploy a custom secrets plugin
There are vault-plugin-auth-mock
and vault-plugin-secrets-mock
directories
under learn-vault-plugins
. First, walk through the vault-plugin-secrets-mock
plugin
to learn the workflow.
All commands introduced in this tutorial can be run using the provided
Makefile. However, you are going to execute those commands manually to gain
a greater understanding of how Vault registers plugins. To use the make
command, refer to the README.
Compile vault-plugin-secrets-mock
Change the working directory to where the mock plugin is located.
Compile the plugin.
This compiles the
vault-plugin-secrets-mock
plugin and outputs the generated plugin in thevault/plugins/vault-plugin-secrets-mock
folder.
Start Vault
Start a Vault server in -dev
mode for demonstration. Also, set the
-dev-plugin-dir
to ./vault/plugins
which is where the
vault-plugin-secrets-mock
plugin is generated.
Insecure operation
Do not run a Vault dev server in production. This approach is only used here to simplify the unsealing process for this demonstration.
The output includes the following message:
Note
Read the Setup Vault section about specifying the plugin directory in the server configuration file.
Test the vault-plugin-secrets-mock plugin
The name of the plugin is vault-plugin-secrets-mock
and it is a custom secrets
engine.
Open another terminal session.
Set the
VAULT_ADDR
environmental variable.Login as root.
Enable the mock plugin.
Check that the
vault-plugin-secrets-mock
mock secrets engine is enabled atmock-secrets
.Each plugin responds to
read
,write
,list
, anddelete
as its own behavior. Let's test thevault-plugin-secrets-mock
secrets engine.Write some test data in key-value format.
Read the data.
You can disable the
vault-plugin-secrets-mock
secrets engine just like any other secrets engine.Enter Ctrl+C in the other terminal session to terminate the running Vault dev server.
Deploy a custom auth plugin
In this section, you will walk through the mock auth plugin,
vault-plugin-auth-mock
.
All commands introduced in this tutorial can be run using the provided
Makefile. However, you are going to execute those commands manually to gain
a greater understanding of how Vault registers plugins. To use the make
command, refer to the README.
Compile vault-plugin-auth-mock
Change the working directory to where the mock auth plugin is located.
Compile the plugin.
This compiles the
vault-plugin-auth-mock
plugin and outputs the generated plugin in thevault/plugins/vault-plugin-auth-mock
folder.
Start Vault
Start a Vault server in -dev
mode for demonstration. Also, set the
-dev-plugin-dir
to ./vault/plugins
which is where the
vault-plugin-auth-mock
plugin is generated.
The output includes the following message:
Note
Read the Setup Vault section about specifying the plugin directory in the server configuration file.
Test the vault-plugin-auth-mock plugin
The name of the plugin is vault-plugin-auth-mock
and it is a custom auth
method.
Set the VAULT_ADDR
environmental variable.
Login as root.
Enable the mock auth plugin.
Check that the vault-plugin-auth-mock
auth method is enabled at mock-auth
.
Test the vault-plugin-auth-mock plugin
Create a new user, john
with password, password
.
List to see that a user, john
was created.
Now, authenticate with Vault as john
.
You can disable the vault-plugin-auth-mock
auth method just like any other
auth methods.
Enter Ctrl+C to terminate the dev server that is running.
Setup Vault
The plugin directory is a configuration option of Vault, and can be specified in the configuration file. This setting specifies a directory that all plugin binaries must live. A plugin can not be added to Vault unless it exists in the plugin directory. There is no default for this configuration option, and if it is not set plugins can not be added to Vault.
Set
plugin_directory
to the desired path in the Vault configuration file. The path should exist and
have proper lockdown on access permissions.
Example:
Note
The Vault server looks for your custom plugin under plugin_directory
. Be
sure to move your custom plugins under this location.
If the Vault server is already running, you need to tell it to reload its configuration by sending SIGHUP. If you stop and start the Vault server, you need to unseal it again.
Register in plugin catalog
Calculate the SHA256 sum of the compiled plugin binary.
You can now view the calculated value.
Use the value to register the plugin using the Vault operator vault plugin
.
Enable plugin
Enabling the plugin varies depending on if it's a secrets engine or an auth method.
If it's a secrets engine:
If it's an auth method:
Help and reference
Visit the Custom Secrets Engines tutorials to walk through the end-to-end coding example.