Documentation

InfluxDB OSS

v2

Store secrets in Vault

Vault secures, stores, and controls access to tokens, passwords, certificates, and other sensitive secrets. Store sensitive secrets in Vault using InfluxDB’s built-in Vault integration.

To store secrets in Vault, complete the following steps:

  1. Start a Vault server.
  2. Provide Vault server address and token.
  3. Start InfluxDB.
  4. Manage secrets through the InfluxDB API.

Start a Vault server

Start a Vault server and ensure InfluxDB has network access to the server.

The following links provide information about running Vault in both development and production:

InfluxDB supports the Vault KV Secrets Engine Version 2 API only. When you create a secrets engine, enable the kv-v2 version by running:

vault secrets enable kv-v2

For this example, install Vault on your local machine and start a Vault dev server.

vault server -dev

Provide Vault server address and token

Use influxd Vault-related tags or Vault environment variables to provide connection credentials and other important Vault-related information to InfluxDB.

Required credentials

Vault address

Provide the API address of your Vault server (available in the Vault server output) using the --vault-addr flag when starting influxd or with the VAULT_ADDR environment variable.

Vault token

Provide your Vault token (required to access your Vault server) using the --vault-token flag when starting influxd or with the VAULT_TOKEN environment variable.

Your Vault server configuration may require other Vault settings.

Start InfluxDB

Start the influxd service with the --secret-store option set to vault any other necessary flags.

influxd --secret-store vault \
  --vault-addr=http://127.0.0.1:8200 \
  --vault-token=s.0X0XxXXx0xXxXXxxxXxXxX0x

influxd includes the following Vault configuration options. If set, these flags override any Vault environment variables:

  • --vault-addr
  • --vault-cacert
  • --vault-capath
  • --vault-client-cert
  • --vault-client-key
  • --vault-max-retries
  • --vault-client-timeout
  • --vault-skip-verify
  • --vault-tls-server-name
  • --vault-token

For more information, see InfluxDB configuration options.

Manage secrets through the InfluxDB API

Use the InfluxDB /org/{orgID}/secrets API endpoint to add tokens to Vault. For details, see Manage secrets.

secrets security

Was this page helpful?

Thank you for your feedback!

© 2024 InfluxData, Inc.

What is your InfluxDB OSS URL?

Customize your InfluxDB OSS URL and we’ll update code examples for you.

Default
Custom

For more information, see InfluxDB OSS URLs.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Read more

InfluxDB v3 enhancements and InfluxDB Clustered is now generally available

New capabilities, including faster query performance and management tooling advance the InfluxDB v3 product line. InfluxDB Clustered is now generally available.

InfluxDB v3 performance and features

The InfluxDB v3 product line has seen significant enhancements in query performance and has made new management tooling available. These enhancements include an operational dashboard to monitor the health of your InfluxDB cluster, single sign-on (SSO) support in InfluxDB Cloud Dedicated, and new management APIs for tokens and databases.

Learn about the new v3 enhancements

InfluxDB Clustered general availability

InfluxDB Clustered is now generally available and gives you the power of InfluxDB v3 in your self-managed stack.

Talk to us about InfluxDB Clustered