helm-external-secrets/site/provider-hashicorp-vault/index.html

<!doctype html>
<html lang="en" class="no-js">
  <head>
    
      <meta charset="utf-8">
      <meta name="viewport" content="width=device-width,initial-scale=1">
      
      
      
      
      <link rel="icon" href="../assets/images/favicon.png">
      <meta name="generator" content="mkdocs-1.1, mkdocs-material-7.1.8">
    
    
      
        <title>HashiCorp Vault - External Secrets Operator</title>
      
    
    
      <link rel="stylesheet" href="../assets/stylesheets/main.ca7ac06f.min.css">
      
        
        <link rel="stylesheet" href="../assets/stylesheets/palette.f1a3b89f.min.css">
        
      
    
    
    
      
        
        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
        <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
        <style>:root{--md-text-font-family:"Roboto";--md-code-font-family:"Roboto Mono"}</style>
      
    
    
    
    
      

  


  

  


  <script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",function(){"undefined"!=typeof location$&&location$.subscribe(function(t){gtag("config","G-QP38TD8K7V",{page_path:t.pathname})})})</script>
  <script async src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V"></script>


    
    
  </head>
  
  
    
    
    
    
    
    <body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
  
    
    <script>function __prefix(e){return new URL("..",location).pathname+"."+e}function __get(e,t=localStorage){return JSON.parse(t.getItem(__prefix(e)))}</script>
    
    <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
    <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
    <label class="md-overlay" for="__drawer"></label>
    <div data-md-component="skip">
      
        
        <a href="#hashicorp-vault" class="md-skip">
          Skip to content
        </a>
      
    </div>
    <div data-md-component="announce">
      
    </div>
    
      <header class="md-header" data-md-component="header">
  <nav class="md-header__inner md-grid" aria-label="Header">
    <a href=".." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
      
  
  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>

    </a>
    <label class="md-header__button md-icon" for="__drawer">
      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
    </label>
    <div class="md-header__title" data-md-component="header-title">
      <div class="md-header__ellipsis">
        <div class="md-header__topic">
          <span class="md-ellipsis">
            External Secrets Operator
          </span>
        </div>
        <div class="md-header__topic" data-md-component="header-topic">
          <span class="md-ellipsis">
            
              HashiCorp Vault
            
          </span>
        </div>
      </div>
    </div>
    
    
    
      <label class="md-header__button md-icon" for="__search">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
      </label>
      
<div class="md-search" data-md-component="search" role="dialog">
  <label class="md-search__overlay" for="__search"></label>
  <div class="md-search__inner" role="search">
    <form class="md-search__form" name="search">
      <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" data-md-state="active" required>
      <label class="md-search__icon md-icon" for="__search">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
      </label>
      <button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
      </button>
    </form>
    <div class="md-search__output">
      <div class="md-search__scrollwrap" data-md-scrollfix>
        <div class="md-search-result" data-md-component="search-result">
          <div class="md-search-result__meta">
            Initializing search
          </div>
          <ol class="md-search-result__list"></ol>
        </div>
      </div>
    </div>
  </div>
</div>
    
    
      <div class="md-header__source">
        
<a href="https://github.com/external-secrets/external-secrets/" title="Go to repository" class="md-source" data-md-component="source">
  <div class="md-source__icon md-icon">
    
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
  </div>
  <div class="md-source__repository">
    External Secrets Operator
  </div>
</a>
      </div>
    
  </nav>
</header>
    
    <div class="md-container" data-md-component="container">
      
      
        
      
      <main class="md-main" data-md-component="main">
        <div class="md-main__inner md-grid">
          
            
              
              <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
                <div class="md-sidebar__scrollwrap">
                  <div class="md-sidebar__inner">
                    


<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
  <label class="md-nav__title" for="__drawer">
    <a href=".." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
      
  
  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>

    </a>
    External Secrets Operator
  </label>
  
    <div class="md-nav__source">
      
<a href="https://github.com/external-secrets/external-secrets/" title="Go to repository" class="md-source" data-md-component="source">
  <div class="md-source__icon md-icon">
    
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
  </div>
  <div class="md-source__repository">
    External Secrets Operator
  </div>
</a>
    </div>
  
  <ul class="md-nav__list" data-md-scrollfix>
    
      
      
      

  
  
  
    <li class="md-nav__item">
      <a href=".." class="md-nav__link">
        Introduction
      </a>
    </li>
  

    
      
      
      

  
  
  
    <li class="md-nav__item">
      <a href="../api-overview/" class="md-nav__link">
        Overview
      </a>
    </li>
  

    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" >
      
      <label class="md-nav__link" for="__nav_3">
        API Types
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="API Types" data-md-level="1">
        <label class="md-nav__title" for="__nav_3">
          <span class="md-nav__icon md-icon"></span>
          API Types
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../api-externalsecret/" class="md-nav__link">
        ExternalSecret
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../api-secretstore/" class="md-nav__link">
        SecretStore
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../api-clustersecretstore/" class="md-nav__link">
        ClusterSecretStore
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
      
      <label class="md-nav__link" for="__nav_4">
        Guides
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Guides" data-md-level="1">
        <label class="md-nav__title" for="__nav_4">
          <span class="md-nav__icon md-icon"></span>
          Guides
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-introduction/" class="md-nav__link">
        Introduction
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-getting-started/" class="md-nav__link">
        Getting started
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-templating/" class="md-nav__link">
        Advanced Templating
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-controller-class/" class="md-nav__link">
        Controller Classes
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-all-keys-one-secret/" class="md-nav__link">
        All keys, One secret
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-common-k8s-secret-types/" class="md-nav__link">
        Common K8S Secret Types
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-multi-tenancy/" class="md-nav__link">
        Multi Tenancy
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-metrics/" class="md-nav__link">
        Metrics
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-using-latest-image/" class="md-nav__link">
        Using Latest Image
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-gitops-using-fluxcd/" class="md-nav__link">
        GitOps using FluxCD
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
    
  
  
    
    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" checked>
      
      <label class="md-nav__link" for="__nav_5">
        Provider
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Provider" data-md-level="1">
        <label class="md-nav__title" for="__nav_5">
          <span class="md-nav__icon md-icon"></span>
          Provider
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_1" type="checkbox" id="__nav_5_1" >
      
      <label class="md-nav__link" for="__nav_5_1">
        AWS
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="AWS" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_1">
          <span class="md-nav__icon md-icon"></span>
          AWS
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-aws-secrets-manager/" class="md-nav__link">
        Secrets Manager
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-aws-parameter-store/" class="md-nav__link">
        Parameter Store
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_2" type="checkbox" id="__nav_5_2" >
      
      <label class="md-nav__link" for="__nav_5_2">
        Azure
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Azure" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_2">
          <span class="md-nav__icon md-icon"></span>
          Azure
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-azure-key-vault/" class="md-nav__link">
        Key Vault
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_3" type="checkbox" id="__nav_5_3" >
      
      <label class="md-nav__link" for="__nav_5_3">
        Google
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Google" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_3">
          <span class="md-nav__icon md-icon"></span>
          Google
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-google-secrets-manager/" class="md-nav__link">
        Secrets Manager
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_4" type="checkbox" id="__nav_5_4" >
      
      <label class="md-nav__link" for="__nav_5_4">
        IBM
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="IBM" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_4">
          <span class="md-nav__icon md-icon"></span>
          IBM
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-ibm-secrets-manager/" class="md-nav__link">
        Secrets Manager
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-akeyless/" class="md-nav__link">
        Akeyless
      </a>
    </li>
  

          
            
  
  
    
  
  
    <li class="md-nav__item md-nav__item--active">
      
      <input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
      
      
      
        <label class="md-nav__link md-nav__link--active" for="__toc">
          HashiCorp Vault
          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <a href="./" class="md-nav__link md-nav__link--active">
        HashiCorp Vault
      </a>
      
        
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  
  
  
  
    <label class="md-nav__title" for="__toc">
      <span class="md-nav__icon md-icon"></span>
      Table of contents
    </label>
    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
      
        <li class="md-nav__item">
  <a href="#hashicorp-vault" class="md-nav__link">
    Hashicorp Vault
  </a>
  
    <nav class="md-nav" aria-label="Hashicorp Vault">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#example" class="md-nav__link">
    Example
  </a>
  
    <nav class="md-nav" aria-label="Example">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#limitations" class="md-nav__link">
    Limitations
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
        
          <li class="md-nav__item">
  <a href="#authentication" class="md-nav__link">
    Authentication
  </a>
  
    <nav class="md-nav" aria-label="Authentication">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#token-based-authentication" class="md-nav__link">
    Token-based authentication
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#approle-authentication-example" class="md-nav__link">
    AppRole authentication example
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#kubernetes-authentication" class="md-nav__link">
    Kubernetes authentication
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#ldap-authentication" class="md-nav__link">
    LDAP authentication
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#jwtoidc-authentication" class="md-nav__link">
    JWT/OIDC authentication
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
        
          <li class="md-nav__item">
  <a href="#vault-enterprise-and-eventual-consistency" class="md-nav__link">
    Vault Enterprise and Eventual Consistency
  </a>
  
    <nav class="md-nav" aria-label="Vault Enterprise and Eventual Consistency">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#read-your-writes" class="md-nav__link">
    Read Your Writes
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#forward-inconsistent" class="md-nav__link">
    Forward Inconsistent
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
    </ul>
  
</nav>
      
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_7" type="checkbox" id="__nav_5_7" >
      
      <label class="md-nav__link" for="__nav_5_7">
        Yandex
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Yandex" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_7">
          <span class="md-nav__icon md-icon"></span>
          Yandex
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-yandex-lockbox/" class="md-nav__link">
        Lockbox
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_8" type="checkbox" id="__nav_5_8" >
      
      <label class="md-nav__link" for="__nav_5_8">
        Gitlab
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Gitlab" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_8">
          <span class="md-nav__icon md-icon"></span>
          Gitlab
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-gitlab-project-variables/" class="md-nav__link">
        Gitlab Project Variables
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_9" type="checkbox" id="__nav_5_9" >
      
      <label class="md-nav__link" for="__nav_5_9">
        Oracle
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Oracle" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_9">
          <span class="md-nav__icon md-icon"></span>
          Oracle
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-oracle-vault/" class="md-nav__link">
        Oracle Vault
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-webhook/" class="md-nav__link">
        Webhook
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_6" type="checkbox" id="__nav_6" >
      
      <label class="md-nav__link" for="__nav_6">
        References
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="References" data-md-level="1">
        <label class="md-nav__title" for="__nav_6">
          <span class="md-nav__icon md-icon"></span>
          References
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../spec/" class="md-nav__link">
        API specification
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7" type="checkbox" id="__nav_7" >
      
      <label class="md-nav__link" for="__nav_7">
        Contributing
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Contributing" data-md-level="1">
        <label class="md-nav__title" for="__nav_7">
          <span class="md-nav__icon md-icon"></span>
          Contributing
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../contributing-devguide/" class="md-nav__link">
        Developer guide
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../contributing-process/" class="md-nav__link">
        Contributing Process
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../contributing-coc/" class="md-nav__link">
        Code of Conduct
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
  
    <li class="md-nav__item">
      <a href="../deprecation-policy/" class="md-nav__link">
        Deprecation Policy
      </a>
    </li>
  

    
  </ul>
</nav>
                  </div>
                </div>
              </div>
            
            
              
              <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
                <div class="md-sidebar__scrollwrap">
                  <div class="md-sidebar__inner">
                    
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  
  
  
  
    <label class="md-nav__title" for="__toc">
      <span class="md-nav__icon md-icon"></span>
      Table of contents
    </label>
    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
      
        <li class="md-nav__item">
  <a href="#hashicorp-vault" class="md-nav__link">
    Hashicorp Vault
  </a>
  
    <nav class="md-nav" aria-label="Hashicorp Vault">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#example" class="md-nav__link">
    Example
  </a>
  
    <nav class="md-nav" aria-label="Example">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#limitations" class="md-nav__link">
    Limitations
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
        
          <li class="md-nav__item">
  <a href="#authentication" class="md-nav__link">
    Authentication
  </a>
  
    <nav class="md-nav" aria-label="Authentication">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#token-based-authentication" class="md-nav__link">
    Token-based authentication
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#approle-authentication-example" class="md-nav__link">
    AppRole authentication example
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#kubernetes-authentication" class="md-nav__link">
    Kubernetes authentication
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#ldap-authentication" class="md-nav__link">
    LDAP authentication
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#jwtoidc-authentication" class="md-nav__link">
    JWT/OIDC authentication
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
        
          <li class="md-nav__item">
  <a href="#vault-enterprise-and-eventual-consistency" class="md-nav__link">
    Vault Enterprise and Eventual Consistency
  </a>
  
    <nav class="md-nav" aria-label="Vault Enterprise and Eventual Consistency">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#read-your-writes" class="md-nav__link">
    Read Your Writes
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#forward-inconsistent" class="md-nav__link">
    Forward Inconsistent
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
    </ul>
  
</nav>
                  </div>
                </div>
              </div>
            
          
          <div class="md-content" data-md-component="content">
            <article class="md-content__inner md-typeset">
              
                
                  <a href="https://github.com/external-secrets/external-secrets/edit/master/docs/provider-hashicorp-vault.md" title="Edit this page" class="md-content__button md-icon">
                    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25z"/></svg>
                  </a>
                
                
                  <h1>HashiCorp Vault</h1>
                
                <p><img alt="HCP Vault" src="../pictures/diagrams-provider-vault.png" /></p>
<h2 id="hashicorp-vault">Hashicorp Vault</h2>
<p>External Secrets Operator integrates with <a href="https://www.vaultproject.io/">HashiCorp Vault</a> for secret
management. Vault itself implements lots of different secret engines, as of now we only support the
<a href="https://www.vaultproject.io/docs/secrets/kv">KV Secrets Engine</a>.</p>
<h3 id="example">Example</h3>
<p>First, create a SecretStore with a vault backend. For the sake of simplicity we'll use a static token <code>root</code>:</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
<span class="nt">spec</span><span class="p">:</span>
  <span class="nt">provider</span><span class="p">:</span>
    <span class="nt">vault</span><span class="p">:</span>
      <span class="nt">server</span><span class="p">:</span> <span class="s">&quot;http://my.vault.server:8200&quot;</span>
      <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;secret&quot;</span>
      <span class="nt">version</span><span class="p">:</span> <span class="s">&quot;v2&quot;</span>
      <span class="nt">auth</span><span class="p">:</span>
        <span class="c1"># points to a secret that contains a vault token</span>
        <span class="c1"># https://www.vaultproject.io/docs/auth/token</span>
        <span class="nt">tokenSecretRef</span><span class="p">:</span>
          <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;vault-token&quot;</span>
          <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;default&quot;</span>
          <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;token&quot;</span>
<span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Secret</span>
<span class="nt">metadata</span><span class="p">:</span>
  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-token</span>
<span class="nt">data</span><span class="p">:</span>
  <span class="nt">token</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">cm9vdA==</span> <span class="c1"># &quot;root&quot;</span>
</code></pre></div>

<p>Then create a simple k/v pair at path <code>secret/foo</code>:</p>
<div class="highlight"><pre><span></span><code>vault kv put secret/foo my-value=s3cr3t
</code></pre></div>

<p>Now create a ExternalSecret that uses the above SecretStore:</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
<span class="nt">metadata</span><span class="p">:</span>
  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-example</span>
<span class="nt">spec</span><span class="p">:</span>
  <span class="nt">refreshInterval</span><span class="p">:</span> <span class="s">&quot;15s&quot;</span>
  <span class="nt">secretStoreRef</span><span class="p">:</span>
    <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
    <span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  <span class="nt">target</span><span class="p">:</span>
    <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example-sync</span>
  <span class="nt">data</span><span class="p">:</span>
  <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">foobar</span>
    <span class="nt">remoteRef</span><span class="p">:</span>
      <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">secret/foo</span>
      <span class="nt">property</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">my-value</span>
<span class="nn">---</span>
<span class="c1"># will create a secret with:</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Secret</span>
<span class="nt">metadata</span><span class="p">:</span>
  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example-sync</span>
<span class="nt">data</span><span class="p">:</span>
  <span class="nt">foobar</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">czNjcjN0</span>
</code></pre></div>

<h4 id="limitations">Limitations</h4>
<p>Vault supports only simple key/value pairs - nested objects are not supported. Hence specifying <code>gjson</code> properties like other providers support it is not supported.</p>
<h3 id="authentication">Authentication</h3>
<p>We support five different modes for authentication:
<a href="https://www.vaultproject.io/docs/auth/token">token-based</a>,
<a href="https://www.vaultproject.io/docs/auth/approle">appRole</a>,
<a href="https://www.vaultproject.io/docs/auth/kubernetes">kubernetes-native</a>,
<a href="https://www.vaultproject.io/docs/auth/ldap">ldap</a> and
<a href="https://www.vaultproject.io/docs/auth/jwt">jwt/odic</a>, each one comes with it's own
trade-offs. Depending on the authentication method you need to adapt your environment.</p>
<h4 id="token-based-authentication">Token-based authentication</h4>
<p>A static token is stored in a <code>Kind=Secret</code> and is used to authenticate with vault.</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
  <span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
<span class="nt">spec</span><span class="p">:</span>
  <span class="nt">provider</span><span class="p">:</span>
    <span class="nt">vault</span><span class="p">:</span>
      <span class="nt">server</span><span class="p">:</span> <span class="s">&quot;https://vault.acme.org&quot;</span>
      <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;secret&quot;</span>
      <span class="nt">version</span><span class="p">:</span> <span class="s">&quot;v2&quot;</span>
      <span class="nt">auth</span><span class="p">:</span>
        <span class="c1"># points to a secret that contains a vault token</span>
        <span class="c1"># https://www.vaultproject.io/docs/auth/token</span>
        <span class="nt">tokenSecretRef</span><span class="p">:</span>
          <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
          <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
          <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;vault-token&quot;</span>
</code></pre></div>

<h4 id="approle-authentication-example">AppRole authentication example</h4>
<p><a href="https://www.vaultproject.io/docs/auth/approle">AppRole authentication</a> reads the secret id from a
<code>Kind=Secret</code> and uses the specified <code>roleId</code> to aquire a temporary token to fetch secrets.</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
  <span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
<span class="nt">spec</span><span class="p">:</span>
  <span class="nt">provider</span><span class="p">:</span>
    <span class="nt">vault</span><span class="p">:</span>
      <span class="nt">server</span><span class="p">:</span> <span class="s">&quot;https://vault.acme.org&quot;</span>
      <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;secret&quot;</span>
      <span class="nt">version</span><span class="p">:</span> <span class="s">&quot;v2&quot;</span>
      <span class="nt">auth</span><span class="p">:</span>
        <span class="c1"># VaultAppRole authenticates with Vault using the</span>
        <span class="c1"># App Role auth mechanism</span>
        <span class="c1"># https://www.vaultproject.io/docs/auth/approle</span>
        <span class="nt">appRole</span><span class="p">:</span>
          <span class="c1"># Path where the App Role authentication backend is mounted</span>
          <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;approle&quot;</span>
          <span class="c1"># RoleID configured in the App Role authentication backend</span>
          <span class="nt">roleId</span><span class="p">:</span> <span class="s">&quot;db02de05-fa39-4855-059b-67221c5c2f63&quot;</span>
          <span class="c1"># Reference to a key in a K8 Secret that contains the App Role SecretId</span>
          <span class="nt">secretRef</span><span class="p">:</span>
            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
            <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;secret-id&quot;</span>
</code></pre></div>

<h4 id="kubernetes-authentication">Kubernetes authentication</h4>
<p><a href="https://www.vaultproject.io/docs/auth/kubernetes">Kubernetes-native authentication</a> has three
options of optaining credentials for vault:</p>
<ol>
<li>by using a service account jwt referenced in <code>serviceAccountRef</code></li>
<li>by using the jwt from a <code>Kind=Secret</code> referenced by the <code>secretRef</code></li>
<li>by using transient credentials from the mounted service account token within the
    external-secrets operator</li>
</ol>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
  <span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
<span class="nt">spec</span><span class="p">:</span>
  <span class="nt">provider</span><span class="p">:</span>
    <span class="nt">vault</span><span class="p">:</span>
      <span class="nt">server</span><span class="p">:</span> <span class="s">&quot;https://vault.acme.org&quot;</span>
      <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;secret&quot;</span>
      <span class="nt">version</span><span class="p">:</span> <span class="s">&quot;v2&quot;</span>
      <span class="nt">auth</span><span class="p">:</span>
        <span class="c1"># Authenticate against Vault using a Kubernetes ServiceAccount</span>
        <span class="c1"># token stored in a Secret.</span>
        <span class="c1"># https://www.vaultproject.io/docs/auth/kubernetes</span>
        <span class="nt">kubernetes</span><span class="p">:</span>
          <span class="c1"># Path where the Kubernetes authentication backend is mounted in Vault</span>
          <span class="nt">mountPath</span><span class="p">:</span> <span class="s">&quot;kubernetes&quot;</span>
          <span class="c1"># A required field containing the Vault Role to assume.</span>
          <span class="nt">role</span><span class="p">:</span> <span class="s">&quot;demo&quot;</span>
          <span class="c1"># Optional service account field containing the name</span>
          <span class="c1"># of a kubernetes ServiceAccount</span>
          <span class="nt">serviceAccountRef</span><span class="p">:</span>
            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-sa&quot;</span>
            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
          <span class="c1"># Optional secret field containing a Kubernetes ServiceAccount JWT</span>
          <span class="c1">#  used for authenticating with Vault</span>
          <span class="nt">secretRef</span><span class="p">:</span>
            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
            <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;vault&quot;</span>
</code></pre></div>

<h4 id="ldap-authentication">LDAP authentication</h4>
<p><a href="https://www.vaultproject.io/docs/auth/ldap">LDAP authentication</a> uses
username/password pair to get an access token. Username is stored directly in
a <code>Kind=SecretStore</code> or <code>Kind=ClusterSecretStore</code> resource, password is stored
in a <code>Kind=Secret</code> referenced by the <code>secretRef</code>.</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
  <span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
<span class="nt">spec</span><span class="p">:</span>
  <span class="nt">provider</span><span class="p">:</span>
    <span class="nt">vault</span><span class="p">:</span>
      <span class="nt">server</span><span class="p">:</span> <span class="s">&quot;https://vault.acme.org&quot;</span>
      <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;secret&quot;</span>
      <span class="nt">version</span><span class="p">:</span> <span class="s">&quot;v2&quot;</span>
      <span class="nt">auth</span><span class="p">:</span>
        <span class="c1"># VaultLdap authenticates with Vault using the LDAP auth mechanism</span>
        <span class="c1"># https://www.vaultproject.io/docs/auth/ldap</span>
        <span class="nt">ldap</span><span class="p">:</span>
          <span class="c1"># Path where the LDAP authentication backend is mounted</span>
          <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;ldap&quot;</span>
          <span class="c1"># LDAP username</span>
          <span class="nt">username</span><span class="p">:</span> <span class="s">&quot;username&quot;</span>
          <span class="nt">secretRef</span><span class="p">:</span>
            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
            <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;ldap-password&quot;</span>
</code></pre></div>

<h4 id="jwtoidc-authentication">JWT/OIDC authentication</h4>
<p><a href="https://www.vaultproject.io/docs/auth/jwt">JWT/OIDC</a> uses a
<a href="https://jwt.io/">JWT</a> token stored in a <code>Kind=Secret</code> and referenced by the
<code>secretRef</code>. Optionally a <code>role</code> field can be defined in a <code>Kind=SecretStore</code>
or <code>Kind=ClusterSecretStore</code> resource.</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
  <span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
<span class="nt">spec</span><span class="p">:</span>
  <span class="nt">provider</span><span class="p">:</span>
    <span class="nt">vault</span><span class="p">:</span>
      <span class="nt">server</span><span class="p">:</span> <span class="s">&quot;https://vault.acme.org&quot;</span>
      <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;secret&quot;</span>
      <span class="nt">version</span><span class="p">:</span> <span class="s">&quot;v2&quot;</span>
      <span class="nt">auth</span><span class="p">:</span>
        <span class="c1"># VaultJwt authenticates with Vault using the JWT/OIDC auth mechanism</span>
        <span class="c1"># https://www.vaultproject.io/docs/auth/jwt</span>
        <span class="nt">jwt</span><span class="p">:</span>
          <span class="c1"># Path where the JWT authentication backend is mounted</span>
          <span class="nt">path</span><span class="p">:</span> <span class="s">&quot;jwt&quot;</span>
          <span class="c1"># JWT role configured in a Vault server, optional.</span>
          <span class="nt">role</span><span class="p">:</span> <span class="s">&quot;vault-jwt-role&quot;</span>
          <span class="nt">secretRef</span><span class="p">:</span>
            <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;my-secret&quot;</span>
            <span class="nt">namespace</span><span class="p">:</span> <span class="s">&quot;secret-admin&quot;</span>
            <span class="nt">key</span><span class="p">:</span> <span class="s">&quot;jwt-token&quot;</span>
</code></pre></div>

<h3 id="vault-enterprise-and-eventual-consistency">Vault Enterprise and Eventual Consistency</h3>
<p>When using Vault Enterprise with <a href="https://www.vaultproject.io/docs/enterprise/consistency#performance-standby-nodes">performance standby nodes</a>,
any follower can handle read requests immediately after the provider has
authenticated. Since Vault becomes eventually consistent in this mode, these
requests can fail if the login has not yet propagated to each server's local
state.</p>
<p>Below are two different solutions to this scenario. You'll need to review them
and pick the best fit for your environment and Vault configuration.</p>
<h4 id="read-your-writes">Read Your Writes</h4>
<p>The simplest method is simply utilizing the <code>X-Vault-Index</code> header returned on
all write requests (including logins). Passing this header back on subsequent
requests instructs the Vault client to retry the request until the server has an
index greater than or equal to that returned with the last write.</p>
<p>Obviously though, this has a performance hit because the read is blocked until
the follower's local state has caught up.</p>
<h4 id="forward-inconsistent">Forward Inconsistent</h4>
<p>In addition to the aforementioned <code>X-Vault-Index</code> header, Vault also supports
proxying inconsistent requests to the current cluster leader for immediate
read-after-write consistency. This is achieved by setting the <code>X-Vault-Inconsistent</code>
header to <code>forward-active-node</code>. By default, this behavior is disabled and must
be explicitly enabled in the server's <a href="https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header">replication configuration</a>.</p>
                
              
              
                


              
            </article>
          </div>
        </div>
        
      </main>
      
        
<footer class="md-footer">
  
    <nav class="md-footer__inner md-grid" aria-label="Footer">
      
        
        <a href="../provider-akeyless/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Akeyless" rel="prev">
          <div class="md-footer__button md-icon">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
          </div>
          <div class="md-footer__title">
            <div class="md-ellipsis">
              <span class="md-footer__direction">
                Previous
              </span>
              Akeyless
            </div>
          </div>
        </a>
      
      
        
        <a href="../provider-yandex-lockbox/" class="md-footer__link md-footer__link--next" aria-label="Next: Lockbox" rel="next">
          <div class="md-footer__title">
            <div class="md-ellipsis">
              <span class="md-footer__direction">
                Next
              </span>
              Lockbox
            </div>
          </div>
          <div class="md-footer__button md-icon">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
          </div>
        </a>
      
    </nav>
  
  <div class="md-footer-meta md-typeset">
    <div class="md-footer-meta__inner md-grid">
      <div class="md-footer-copyright">
        
        Made with
        <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
          Material for MkDocs
        </a>
        
      </div>
      
    </div>
  </div>
</footer>
      
    </div>
    <div class="md-dialog" data-md-component="dialog">
      <div class="md-dialog__inner md-typeset"></div>
    </div>
    <script id="__config" type="application/json">{"base": "..", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.b0710199.min.js", "version": {"provider": "mike"}}</script>
    
    
      <script src="../assets/javascripts/bundle.76f349be.min.js"></script>
      
    
  </body>
</html>