mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-22 23:21:08 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
66 lines
2.4 KiB
Plaintext
66 lines
2.4 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Cubbyhole secrets engine
|
|
description: >-
|
|
Store arbitrary secrets scoped to a single client token with the Cubbyhole secrets engine plugin.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# Cubbyhole secrets engine
|
|
|
|
The `cubbyhole` secrets engine is used to store arbitrary secrets within the
|
|
configured physical storage for Vault namespaced to a token. In `cubbyhole`,
|
|
paths are scoped per token. No token can access another token's cubbyhole. When
|
|
the token expires, its cubbyhole is destroyed.
|
|
|
|
Also unlike the `kv` secrets engine, because the cubbyhole's lifetime is
|
|
linked to that of an authentication token, there is no concept of a TTL or
|
|
refresh interval for values contained in the token's cubbyhole.
|
|
|
|
Writing to a key in the `cubbyhole` secrets engine will completely replace the
|
|
old value.
|
|
|
|
## Setup
|
|
|
|
Most secrets engines must be configured in advance before they can perform their
|
|
functions. These steps are usually completed by an operator or configuration
|
|
management tool.
|
|
|
|
The `cubbyhole` secrets engine is enabled by default. It cannot be disabled,
|
|
moved, or enabled multiple times.
|
|
|
|
## Usage
|
|
|
|
After the secrets engine is configured and a user/machine has a Vault token with
|
|
the proper permission, it can generate credentials. The `cubbyhole` secrets
|
|
engine allows for writing keys with arbitrary values.
|
|
|
|
1. Write arbitrary data:
|
|
|
|
```text
|
|
$ vault write cubbyhole/my-secret my-value=s3cr3t
|
|
Success! Data written to: cubbyhole/my-secret
|
|
```
|
|
|
|
1. Read arbitrary data:
|
|
|
|
```text
|
|
$ vault read cubbyhole/my-secret
|
|
Key Value
|
|
--- -----
|
|
my-value s3cr3t
|
|
```
|
|
|
|
## Tutorial
|
|
|
|
Refer to the [Cubbyhole Response Wrapping](/vault/tutorials/secrets-management/cubbyhole-response-wrapping)
|
|
tutorial to learn how to securely distribute the initial token to the trusted entity.
|
|
|
|
## API
|
|
|
|
The Cubbyhole secrets engine has a full HTTP API. Please see the
|
|
[Cubbyhole secrets engine API](/vault/api-docs/secret/cubbyhole) for more
|
|
details.
|