New feature: Hashicorp Vault plugin

May 18, 2023

New feature: Hashicorp Vault plugin

The HashiCorp's Vault is a unified storage system for sensitive data such as tokens, passwords, and encryption keys. Aimed at companies that prefer to keep their secrets in a tightly controlled environment, our new plugin allows project managers to create short-lived API tokens for Buddy with customizable scopes of access.

How it works

The plugin is available for download from our GitHub account.

The system uses Personal Access Tokens (also known as root tokens) to authorize token creation in the Vault. The root token must have the rights to create and manage tokens, and can be fortified by restricting it to the selected IPs or workspace domains (in this case, the restrictions are automatically inherited by the child tokens).

For time-limited root tokens, you can enable auto-rotation that will automatically delete the old token and create a new one 1 day before the expiration date.

In the vault, you can create a role for the token with selected scopes and then bake it into credentials. For example, if you want to let your developers run pipelines (but not modify it), the role is configured like this:

vault write buddy/roles/run_pipeline ttl=30 scopes=WORKSPACE,EXECUTION_RUN$

All generated tokens have an extendable (unless restricted) lease time after which they expire. They can also be restricted to particular IPs or workspace domains.

For detailed information on configuration, commands, and available options, check the README file in the plugin repository.
You can read more about how Buddy protects your work on our dedicated security page.


Alexander Kus

Alexander Kus

Customer Success Manager

A story-teller and conversation-lover, Alexander decided to invest his skills to help his friends at Buddy transform the cold language of patch notes into exciting narratives. Also: an avid gamer, hip-hop DJ, Liverpool FC fan, absentminded husband, and the father of two.