Hashicorp Vault
  • 02 May 2024
  • Dark
  • PDF

Hashicorp Vault

  • Dark
  • PDF

Article summary

To manage secrets and help protect data, Itential Automation Gateway now supports HashiCorp Vault, a secrets management tool that secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets along with key revocation, key rolling, and auditing. HashiCorp Vault also provides secrets-as-a-service through a unified API. For more information, please visit the HashiCorp Learn page.

Automation Gateway (AG) contains a Script Execution Engine that interacts with the key-value secrets stored in HashiCorp Vault. The AG server can fetch secrets stored on a Vault server at runtime and pass the values as command line arguments or environment variables when executing a script.

Vault connection parameters are provided to AG via the configuration UI.

Sample Script

Below is a sample Python script that takes one command line argument.

#!/usr/bin/env python

import sys

if len(sys.argv) > 1:
  print(f"The secret of foo is {sys.argv[1]}.")
  print("No secret argument passed in")

User Schema Decoration

In order to use a Vault secret, you first need to add a user schema to the script. Assuming the script is named python_secret_demo.py, you can add the schema below to this script. Refer to the User Decorations guide for more detail on how a user schema works.

    "schema": {
        "title": "schema for python secret",
        "type": "object",
        "properties": {
            "foo": {
                "type": "secret"
        "script_argument_order": ["foo"]

Here we define a parameter named foo with type secret. This parameter also needs to be part of script_argument_order .

Sample Script Payload

Assume the Vault secret you want to fetch is saved in path hello with key name foo. To execute the script with a secret, run POST /api/v2.0/scripts/python_secret_demo.py/execute with the following payload.

  "args": {
    "foo": {
      "path": "hello",
      "key_name": "foo"
  "env": {},
  "hosts": []

Sample Response Object

Below is the response object you get from the above example. The secret of foo is bar in this case.

        "status": "SUCCESS",
        "stdout": "The secret of foo is bar.\n",
        "stderr": "",
        "command": "/app/devtools/scripts/python_secret_demo.py bar",
        "env": [],
        "msg": "",
        "argument_warnings": null,
        "env_warnings": null,
        "working_directory": "/root",
        "raw_result": {
            "rc": 0

This feature has different behavior between releases; see Earlier Release Versions for more info.

Execute Script from IAG UI

If you are executing the script from the Automation Gateway (AG) web interface, after you add the user schema to the script, a blue triangle will appear on the left of python_secret_demo.py.


On the Execute tab, you can run the script by filling the path and key_name without a quote. The response object is the same as executing from the API.


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.