This plugin provides database credentials using Vault Database secrets and KV secrets engines.
Vault login is not handled by this plugin.
You should manually log in into Vault, which will, using the default Token Helper, create a Vault token file in $HOME/.vault-token. Check another Vault Token Helper with support for native secret storage on macOS, Linux, and Windows.
This plugin will cache credentials in memory until it expires.
-
Using IDE built-in plugin system:
Settings/Preferences > Plugins > Marketplace > Search for "datagrip-vault-plugin" > Install Plugin
-
Manually:
Download the latest release and install it manually using Settings/Preferences > Plugins > ⚙️ > Install plugin from disk...
Use the following settings to connect DBeaver to HashiCorp Vault and retrieve credentials:
- Secret (Required) The API path to the secret in Vault.
- Address (Optional)
The Vault server URL.
If not specified, the plugin will use the
VAULT_AGENT_ADDRenvironment variable, and thenVAULT_ADDRas a fallback. - Token File (Optional)
Path to the Vault token file.
If not provided, the plugin will fall back to the Vault Token Helper, and then
$HOME/.vault-token. - SSL Certificate (Optional)
Path to the SSL certificate to trust.
Defaults to the value of the
VAULT_CACERTenvironment variable if not set. - Namespace (Optional)
Absolute or relative namespace path.
Defaults to the value of the
VAULT_NAMESPACEenvironment variable if not set. - Secret Type (Required)
The type of secret to retrieve. Supported values:
- Dynamic role
- Static role
- KV version 1
- KV version 2
- Username Key (Required for KV v1 and KV v2) The JSON key used to extract the database username from the secret.
- Password Key (Required for KV v1 and KV v2) The JSON key used to extract the database password from the secret.
Support for parsing Vault config file from environment variable VAULT_CONFIG_PATH or default ~/.vault is restricted to JSON syntax only. It does not support native HCL syntax.