Configure a custom plugin provider
The custom plugin provider lets you connect Itential Gateway to any secrets manager using a customer-supplied executable. Gateway calls the executable as a subprocess using a stable, documented protocol. The executable retrieves the secret using whatever logic is appropriate for your environment.
Use a custom plugin when:
- You use HashiCorp Vault KV v1 (only KV v2 is supported by the bundled Vault connector)
- Your organization uses IAM-based authentication to Vault
- You need to integrate with a secrets manager not covered by the bundled providers
Plugin protocol
Gateway invokes your plugin with the get subcommand:
Input
Gateway writes a single JSON object to the plugin’s stdin:
Output — success
On success, write a JSON object to stdout and exit with code 0:
Output — failure
On failure, write a descriptive error message to stderr, write nothing to stdout, and exit with a non-zero code. Gateway includes your stderr output in the operator-facing error.
Security model
Credentials must never pass through stdin or stdout. Store tokens, certificates, and API keys as files on the gateway server. Reference them using environment variables set at provider registration:
Gateway passes the config.env values to the plugin at invocation time. The plugin reads credentials directly from disk—they never travel over the stdin/stdout pipe or appear in Gateway logs.
Reference implementation — Python (HashiCorp Vault KV v1, token auth)
The following example retrieves a secret from HashiCorp Vault KV v1 using a token file. It uses only Python standard library modules.
Reference implementation — Go (Azure Key Vault, DefaultAzureCredential)
The following example retrieves a secret from Azure Key Vault using the Azure SDK’s DefaultAzureCredential. It demonstrates that the plugin protocol is language-agnostic and works with any external secrets source, including providers not covered by the bundled connectors.
Register this provider with the vault URL passed as a non-sensitive --env value. DefaultAzureCredential picks up the Azure identity from the gateway server’s environment (managed identity, environment variables, or CLI login):
Register a custom plugin provider
Place the plugin on the gateway server
Copy your plugin executable to the gateway server and make it executable:
If you run Itential Gateway in a cluster, every gateway server needs a copy of the plugin at the same path.