InfluxDB Docs

Store secrets in Vault

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, and other sensitive secrets. Store sensitive secrets in Vault using the InfluxDB built-in Vault integration.

Start a Vault server

Start a Vault server and ensure InfluxDB has network access to the server.

The following links provide information about running Vault in both development and production:

InfluxDB supports the Vault KV Secrets Engine Version 2 API only. When you create a secrets engine, enable the kv-v2 version by running:

vault secrets enable kv-v2

For this example, install Vault on your local machine and start a Vault dev server.

vault server -dev

Define Vault environment variables

Use Vault environment variables to provide connection credentials and other important Vault-related information to InfluxDB.

Required environment variables

  • VAULT_ADDR: The API address of your Vault server (provided in the Vault server output).
  • VAULT_TOKEN: The Vault token required to access your Vault server.

Your Vault server configuration may require other environment variables.

export VAULT_ADDR='http://127.0.0.1:8200' VAULT_TOKEN='s.0X0XxXXx0xXxXXxxxXxXxX0x'

Start InfluxDB

Start the influxd service with the --secret-store option set to vault.

influxd --secret-store vault

Manage tokens through the InfluxDB API

Use the InfluxDB /org/{orgID}/secrets API endpoint to add tokens to Vault. For details, see Manage secrets.