Vault integration

    If you manage your secrets with Hashicorp Vault, you can use them for and Provisioning.

    Note: If you have Grafana , then we advise not to use dynamic secrets for provisioning files. Each Grafana instance is responsible for renewing its own leases. Your data source leases might expire when one of your Grafana servers shuts down.

    Before using Vault, you need to activate it by providing a URL, authentication method (currently only token), and a token for your Vault service. Grafana automatically renews the service token if it is renewable and set up with a limited lifetime.

    If you’re using short-lived leases, then you can also configure how often Grafana should renew the lease and for how long. We recommend keeping the defaults unless you run into problems.

    1. url = http://127.0.0.1:8200 # HTTP should only be used for local testing
    2. auth_method = token
    3. token = s.sAZLyI0r7sFLMPq6MWtoOhAN # replace with your key

    Using the Vault expander

    After you configure Vault, you must set the configuration or provisioning files you wish to use Vault. Vault configuration is an extension of configuration’s variable expansion and follows the $__vault{<argument>} syntax.

    The argument to Vault consists of three parts separated by a colon:

    • The first part specifies which secrets engine should be used.
    • The second part specifies which secret should be accessed.
    • The third part specifies which field of that secret should be used.

    For example, if you place a Key/Value secret for the Grafana admin user in secret/grafana/admin_defaults the syntax for accessing it’s password field would be .

    Vault supports many secrets engines which represents different methods for storing or generating secrets when requested by an authorized user. Grafana supports a subset of these which are most likely to be relevant for a Grafana installation.

    Key/Value

    Databases

    The Vault databases secrets engines is a family of secret engines which shares a similar syntax and grants the user dynamic access to a database. You can use this both for setting up Grafana’s own database access and for provisioning data sources.

    1. $__vault{database:database/creds/grafana:username}

    Examples

    The following examples show you how to set your configuration or files to use Vault to retrieve configuration values.

    Configuration

    The following is a partial example for using Vault to set up a Grafana configuration file’s email and database credentials. Refer to for more information.

    Provisioning

    The following is a full examples of a provisioning YAML file setting up a MySQL data source using Vault’s database secrets engine. Refer to for more information.

    1. apiVersion: 1
    2. datasources:
    4.     type: mysql
    5.     url: localhost:3306
    6.     database: stats
    7.     user: $__vault{database:database/creds/ro/stats:username}
    8.     secureJsonData: