InfluxDB Docs

Store secrets in Vault

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, and other sensitive secrets. Store sensitive secrets in Vault using the InfluxDB built-in Vault integration.

When not using Vault, secrets are Base64-encoded and stored in the InfluxDB embedded key value store, BoltDB.

Start a Vault server

Start a Vault server and ensure InfluxDB has network access to the server. The following links provide information about running Vault in both development and production:

For this example, install Vault on your local machine and start a Vault dev server.

vault server -dev

Define Vault environment variables

Use Vault environment variables to provide connection credentials and other important Vault-related information to InfluxDB.

Required environment variables

  • VAULT_ADDR: The API address of your Vault server (provided in the Vault server output).
  • VAULT_TOKEN: The Vault token required to access your Vault server.

Your Vault server configuration may require other environment variables.

export VAULT_ADDR='http://127.0.0.1:8200' VAULT_TOKEN='s.0X0XxXXx0xXxXXxxxXxXxX0x'

Start InfluxDB

Start the influxd service with the --secret-store option set to vault.

influxd --secret-store vault

Test Vault storage

With Vault and InfluxDB servers running, use the InfluxDB API to test Vault:

Replace <org-id> with your organization ID and YOURAUTHTOKEN with your InfluxDB authentication token.

Retrieve an organization’s secrets
curl --request GET \
  --url http://localhost:9999/api/v2/orgs/<org-id>/secrets \
  --header 'authorization: Token YOURAUTHTOKEN'

# should return
#  {
#    "links": {
#      "org": "/api/v2/orgs/031c8cbefe101000",
#      "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
#    },
#    "secrets": []
#  }
Add secrets to an organization
curl --request PATCH \
  --url http://localhost:9999/api/v2/orgs/<org-id>/secrets \
  --header 'authorization: Token YOURAUTHTOKEN' \
  --header 'content-type: application/json' \
  --data '{
	"foo": "bar",
	"hello": "world"
}'

# should return 204 no content
Retrieve the added secrets
curl --request GET \
  --url http://localhost:9999/api/v2/orgs/<org-id>/secrets \
  --header 'authorization: Token YOURAUTHTOKEN'

# should return
#  {
#    "links": {
#      "org": "/api/v2/orgs/031c8cbefe101000",
#      "secrets": "/api/v2/orgs/031c8cbefe101000/secrets"
#    },
#    "secrets": [
#      "foo",
#      "hello"
#    ]
#  }

Vault secrets storage

For each organization, InfluxDB creates a secrets engine using the following pattern:

/secret/data/<org-id>

Secrets are stored in Vault as key value pairs in their respective secrets engines.

/secret/data/031c8cbefe101000 ->
  this_key: foo
  that_key: bar
  a_secret: key