WhitepaperSelf-hosting Backstage vs managed Backstage
Roadie
Backstage Plugins Guides
Hashicorp Vault logo

Hashicorp Vault Plugin

View a list of secrets directly in Backstage.

Created by Spread Group

Hashicorp Vault is an identity-based secrets and encryption management system. With this plugin, you'll be able to view a list of secrets and links to manage them on Vault's UI.

Install the front-end plugin.

cd packages/app
yarn add @backstage/plugin-vault

Add the Vault card to the entity page.

// packages/app/src/components/catalog/EntityPage.tsx
import { EntityVaultCard } from '@backstage/plugin-vault';

const overviewContent = (
    <Grid container spacing={3} alignItems="stretch">
    {/* ...other content */}
    <Grid item md={6} xs={12}>
        <EntityVaultCard />
    </Grid>
);

Get a VAULT_TOKEN with LIST capabilities and add it to app-config.yaml.

# app-config.yaml
vault:
  baseUrl: http://your-vault-url
  token: <<VAULT_TOKEN>>
  secretEngine: 'customSecretEngine' # Optional. Default: 'secrets'
  kvVersion: <<kv-version>> # Optional. The available options are '1' or '2'

Found a mistake? Update these instructions.

Don't want to spend your time installing and manually upgrading each Backstage plugin?

Get managed Backstage

How it looks

Hashicorp Vault in Backstage

Things to know

Including secrets in the Catalog

The Hashicorp Vault plugin for Backstage allows you to include secrets as part of your Catalog’s components. You’ll have to add the Vault’s path to your secrets relevant to each component in their respective catalog-info.yaml.

For instance, for my ReallyCool component, which stores secrets in Vault’s secrets/path/to/really-cool, then I need to set an annotation like this:

apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
  # ...
  annotations:
    vault.io/secrets-path: path/to/really-cool

As you can see, the path you specify here is be relative to what you set as secretEngine in app-config.yaml.

Token requirements

This Backstage plugin needs a Vault token to be able to access a list of secrets URLs. The plugin only needs LIST capabilities.

The plugin also comes with an auto-renewal option, to enable it, include self-renewal capabilities in your token’s custom policy:

# Allows token to renew itself
path "auth/token/renew-self" {
  capabilities = ["update"]
}

For more information, consult Vault’s documentation.

Become a Backstage expert

To get the latest news, deep dives into Backstage features, and a roundup of recent open-source action, sign up for Roadie's Backstage Weekly. See recent editions.

We will never sell or share your email address.