Hashicorp Vault secret Click here for latest


You are currently viewing v"2.13" of the documentation and it is not the latest. For the most recent documentation, kindly click here.

You can pull one or more Hashicorp Vault secrets into the trigger by defining the authentication metadata such as Vault address and the authentication method (token | kubernetes). If you choose kubernetes auth method you should provide role and mount as well. credential defines the Hashicorp Vault credentials depending on the authentication method, for kubernetes you should provide path to service account token (/var/run/secrets/kubernetes.io/serviceaccount/token) and for token auth method provide the token. secrets list defines the mapping between the path and the key of the secret in Vault to the parameter. namespace may be used to target a given Vault Enterprise namespace.

Since version 1.5.0 Vault secrets backend version 2 is supported. The support for Vault secrets backend version 1 was added on version 2.10.

hashiCorpVault:                                               # Optional.
  address: {hashicorp-vault-address}                          # Required.
  namespace: {hashicorp-vault-namespace}                      # Optional. Default is root namespace. Useful for Vault Enterprise
  authentication: token | kubernetes                          # Required.
  role: {hashicorp-vault-role}                                # Optional.
  mount: {hashicorp-vault-mount}                              # Optional.
  credential:                                                 # Optional.
    token: {hashicorp-vault-token}                            # Optional.
    serviceAccount: {path-to-service-account-file}            # Optional.
  secrets:                                                    # Required.
  - parameter: {scaledObject-parameter-name}                  # Required.
    key: {hashicorp-vault-secret-key-name}                    # Required.
    path: {hashicorp-vault-secret-path}                       # Required.
    type: {hashicorp-vault-secret-type}                       # Optional. Default to `""`. Allowed values: `secret`, `secretV2`, `pki`
    pkidata: {hashicorp-vault-secret-pkidata}                 # Optional. Data to be send with the secret  if `hashicorp-vault-secret-type` is pki request
      commonName: {hashicorp-vault-secret-pkidata-commonName} # Optional.
      altNames: {hashicorp-vault-secret-pkidata-altNames}     # Optional.
      ipSans: {hashicorp-vault-secret-pkidata-ipSans}         # Optional.
      uriSans: {hashicorp-vault-secret-pkidata-uriSans}       # Optional.
      otherSans: {hashicorp-vault-secret-pkidata-otherSans}   # Optional.
      ttl: {hashicorp-vault-secret-pkidata-ttl}               # Optional.
      format: {hashicorp-vault-secret-pkidata-format}         # Optional.


Vault Secret can be used to provide authentication for a Scaler. If using the Prometheus scaler, mTls can be used by the ScaledObject to authenticate to the Prometheus server. The following example would request a certificate to Vault dynamically.

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
  name: {trigger-authentication-mame}
  namespace: default
    address: {hashicorp-vault-address}
    authentication: token
      token: {hashicorp-vault-token}
      - key: "ca_chain"
        parameter: "ca"
        path: {hashicorp-vault-secret-path}
        type: pki
          common_name: {hashicorp-vault-secret-pkidata-commonName}
      - key: "private_key"
        parameter: "key"
        path: {hashicorp-vault-secret-path}
        type: pki
          common_name: {hashicorp-vault-secret-pkidata-commonName}
      - key: "certificate"
        parameter: "cert"
        path: {hashicorp-vault-secret-path}
        type: pki
          common_name: {hashicorp-vault-secret-pkidata-commonName}
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
  name: {scaled-object-name}
  namespace: default
    name: {deployment-name}
    - type: prometheus
        serverAddress: http://<prometheus-host>:9090
        query: sum(rate(http_requests_total{deployment="my-deployment"}[2m]))
        authModes: "tls"
        name: { trigger-authentication-mame }