HashiDays One conference. Three cities. Find a city near you
Vault
Vault Home

Import mappings

Vault supports multiple filter types for mapping blocks. You can use the different types to filter the information Vault reads in during the import process.

Passthrough mapping filters

Passthrough mapping blocks mapping_passthrough allow all secrets through from the specified source to the specified destination. For example, one use case is using it as a base-case for imported secrets. By assigning it the lowest priority in the import plan, all other mapping blocks will be applied first. Secrets that fail to match any of the previous mappings will fall through to the passthrough block and be collected in a single KVv2 bucket.

Additional arguments

There are no extra arguments to specify in a mapping_passthrough block.

Example

In this example, every single secret that my-gcp-source-1 is reads from GCP Secret Manager will be imported to the KVv2 Secrets Engine mount defined in my-dest-1.

mapping_passthrough {
  name        = "my-map-1"
  source      = "my-gcp-source-1"
  destination = "my-dest-1"
  priority    = 1
}

Metadata

Metadata mapping blocks mapping_metadata allow secrets through from the specified source to the specified destination if they contain matching metadata key-value pairs. Metadata is not supported in all external secret manageement systems, and ones that do may use different terminology for metadata. For example, AWS allows tags on secrets while GCP allows labels.

Additional arguments

  • tags - (Required) A set of key-value pairs to match on secrets from the external system. All of the specified keys must be found on a secret and all of the values must be exact matches. A key with an empty value, i.e. "", acts as a wildcard match to the external system's values.

Example

In this example, my-map-1 will only import the secrets into the destination my-dest-1 that contain a tag with a key named importable and its value set to true. 

mapping_metadata {
  name        = "my-map-1"
  source      = "my-gcp-source-1"
  destination = "my-dest-1"
  priority    = 1

  tags = {
    "importable" = "true"
  }
}

Regex

Regex mapping blocks mapping_regex allow secrets through from the specified source to the specified destination if their secret name passes a regular expression check.

Additional arguments

  • expression - (Required) A regular expression to match the secrets names from the external system.

Example

In this example, any secret in the GCP source whose name begins with database/ will be imported into Vault.

mapping_regex {
  name        = "my-map-1"
  source      = "my-gcp-source-1"
  destination = "my-dest-1"
  priority    = 1
  expression  = "^database/.*$"
}

Priority

Priority works in a "first match" fashion where lower values are higher priority. To explain in more detail, consider the above metadata example with a second additional mapping.

Below are two metadata mappings. The first, my-map-1, has a priority of 1. This will only import the secrets into the destination my-dest-1 that contain both tag keys database and importable. Each of these keys' values must also match to users and true respectively. The second, my-map-2, has a priority of 2. Even though all the secrets in the first mapping would also qualify for the second mapping's filtering rule, those secrets will only be imported into my-dest-1 because of my-map-2's lower priority. All remaining secrets that have the tag importable with a value of true will be imported into my-dest-2. 

mapping_metadata {
  name        = "my-map-1"
  source      = "my-gcp-source-1"
  destination = "my-dest-1"
  priority    = 1

  tags = {
    "database"   = "users"
    "importable" = "true"
  }
}

mapping_metadata {
  name        = "my-map-2"
  source      = "my-gcp-source-1"
  destination = "my-dest-2"
  priority    = 2

  tags = {
    "importable" = "true"
  }
}
Edit this page on GitHub