Vault
Synopsis
Manages credential stores that securely resolve secrets at runtime. Instead of embedding sensitive values directly in configuration files, fields reference a named credential store and a key within it. DataStream resolves the reference when the value is needed, keeping secrets out of static configuration.
Four provider types are supported: VirtualMetric Vault (local key-value store), Azure Key Vault, CyberArk Central Credential Provider, and HashiCorp Vault.
Secret Token Syntax
Any configuration field that accepts a string value can use a secret token instead of a plain-text value. Three token formats are supported:
| Format | Description |
|---|---|
$secret{store=<name>,ref=<value>} | Resolve a secret from a named credential store using the given reference |
$secret{id=<id>} | Resolve a secret by its ID from the secrets registry |
$env{VAR_NAME} | Read a value from an environment variable |
When DataStream encounters a token, it resolves the value before using it. Plain-text values are passed through unchanged.
Direct store reference — specifies the store name and reference explicitly:
$secret{store=azure-prod,ref=linux-root-password}
ID-based lookup — resolves the store name and reference from the secrets registry:
$secret{id=2142151252151}
The secrets registry entry must contain credential_store and credential_ref properties that map to a configured credential store.
Schema
credentials:
- name: <string>
type: local | azurevault | cyberark | hashicorpvault
description: <string>
status: <boolean>
properties:
# provider-specific fields — see sections below
Configuration
Credential Store
Common fields shared by all provider types:
| Field | Required | Default | Description |
|---|---|---|---|
name | Y | Unique credential store identifier | |
type | Y | Provider type: local, azurevault, cyberark, or hashicorpvault | |
description | N | - | Optional description |
status | N | true | Enable or disable the credential store |
VirtualMetric Vault
Stores credentials directly in the configuration file as key-value pairs under properties. The ref value in a secret token maps to a property key name.
Type: local
| Field | Required | Default | Description |
|---|---|---|---|
properties.<key> | N | - | Arbitrary key-value pairs storing secret values directly |
Ref format:
| Ref | Resolves to |
|---|---|
<property_key> | Value of the matching property |
Azure Key Vault
Fetches secrets from Azure Key Vault using the REST API. Authenticates with client credentials when tenant_id, client_id, and client_secret are provided. Falls back to managed identity when these fields are omitted.
Type: azurevault
| Field | Required | Default | Description |
|---|---|---|---|
url | Y | Azure Key Vault URL (must use https) | |
tenant_id | N* | - | Azure AD tenant ID |
client_id | N* | - | Azure AD application (client) ID |
client_secret | N* | - | Azure AD client secret |
* = Optional. When omitted, authentication falls back to managed identity.
Ref format:
| Ref | Resolves to |
|---|---|
<secret_name> | Value of the named secret in Key Vault |
CyberArk
Fetches credentials from CyberArk Central Credential Provider (CCP) using the REST API. Authenticates with an Application ID and supports optional mutual TLS for client certificate authentication. A custom CA certificate can be configured independently of mutual TLS for server certificate verification.
Type: cyberark
| Field | Required | Default | Description |
|---|---|---|---|
url | Y | CyberArk PVWA base URL (must use https) | |
app_id | Y | Application ID registered in CyberArk | |
safe | N | - | Default safe name, used when ref omits it |
folder | N | - | Default folder name, used when ref omits it |
timeout | N | 30 | Request timeout in seconds |
tls.status | N | false | Enable mutual TLS client certificate authentication |
tls.cert_name | N* | "cert.pem" | Client certificate file name |
tls.key_name | N* | "key.pem" | Client private key file name |
ca_name | N | - | Custom CA certificate file name for server verification |
* = Required when tls.status is true.
Ref format:
| Ref | Safe | Folder | Object |
|---|---|---|---|
Object | From store config | From store config | Object |
Safe/Object | Safe | From store config | Object |
Safe/Folder/Object | Safe | Folder | Object |
HashiCorp Vault
Fetches secrets from HashiCorp Vault using the KV secrets engine (v1 or v2). Authenticates with a static Vault token. Supports Vault Enterprise namespaces.
Type: hashicorpvault
| Field | Required | Default | Description |
|---|---|---|---|
url | Y | HashiCorp Vault server URL | |
token | Y | Vault authentication token | |
mount | N | "secret" | KV secrets engine mount path |
kv_version | N | 2 | KV engine version: 1 or 2 |
namespace | N | - | Vault Enterprise namespace |
timeout | N | 30 | Request timeout in seconds |
tls.status | N | false | Enable mutual TLS client certificate authentication |
tls.cert_name | N* | "cert.pem" | Client certificate file name |
tls.key_name | N* | "key.pem" | Client private key file name |
ca_name | N | - | Custom CA certificate file name for server verification |
* = Required when tls.status is true.
Ref format:
| Ref | Behavior |
|---|---|
path/to/secret | Returns the first field value found in the secret |
path/to/secret#field | Returns the value of the specified field |
When using KV v2 (default), the API path automatically includes /data/ between the mount path and the secret path. No manual adjustment is needed.
Details
Resolution Flow
When DataStream encounters a $secret{...} token in a configuration field, it follows this sequence:
- Parse the token to extract either
store/refparameters or anidparameter - If
idis provided, look up thecredential_storeandcredential_reffrom the secrets registry - Find the named credential store in the
credentialsconfiguration - Look up the registered provider for the store's
type - Invoke the provider with the
refvalue to retrieve the secret
Supported Fields
Any string-valued configuration field can use secret tokens. Common use cases include authentication fields in devices, targets, and other components:
usernameandpassword— login credentialsprivate_keyandpassphrase— SSH key-based authenticationclient_secret— OAuth and API credentialstoken— API tokens and bearer credentials
TLS Certificate Location
TLS certificate and key files referenced by tls.cert_name, tls.key_name, and ca_name must be placed in the service root directory.
URL Requirements
Azure Key Vault and CyberArk providers require https URLs. Connections using http are rejected.
Examples
VirtualMetric Vault
Storing SSH credentials locally in the configuration... | |
Referencing a value from this store... | |
Azure Key Vault
Connecting with client credentials... | |
Using managed identity (omit tenant_id, client_id, client_secret)... | |
CyberArk
Basic configuration with default safe and folder... | |
With mutual TLS and custom CA... | |
HashiCorp Vault
KV v2 engine (default)... | |
KV v1 engine with Enterprise namespace... | |
Using Secret Tokens in Configuration
Referencing vault secrets in a device configuration... | |
Mixing secret tokens with environment variables... | |