Documentation

Store secrets in Vault

Vault secures, stores, and controls access to tokens, passwords, certificates, and other sensitive secrets. Store sensitive secrets in Vault using InfluxDB’s built-in Vault integration.

To store secrets in Vault, complete the following steps:

  1. Start a Vault server.
  2. Provide Vault server address and token.
  3. Start InfluxDB.
  4. Manage secrets through the InfluxDB API.

Start a Vault server

Start a Vault server and ensure InfluxDB has network access to the server.

The following links provide information about running Vault in both development and production:

InfluxDB supports the Vault KV Secrets Engine Version 2 API only. When you create a secrets engine, enable the kv-v2 version by running:

vault secrets enable kv-v2

For this example, install Vault on your local machine and start a Vault dev server.

vault server -dev

Provide Vault server address and token

Use influxd Vault-related tags or Vault environment variables to provide connection credentials and other important Vault-related information to InfluxDB.

Required credentials

Vault address

Provide the API address of your Vault server (available in the Vault server output) using the --vault-addr flag when starting influxd or with the VAULT_ADDR environment variable.

Vault token

Provide your Vault token (required to access your Vault server) using the --vault-token flag when starting influxd or with the VAULT_TOKEN environment variable.

Your Vault server configuration may require other Vault settings.

Start InfluxDB

Start the influxd service with the --secret-store option set to vault any other necessary flags.

influxd --secret-store vault \
  --vault-addr=http://127.0.0.1:8200 \
  --vault-token=s.0X0XxXXx0xXxXXxxxXxXxX0x

influxd includes the following Vault configuration options. If set, these flags override any Vault environment variables:

  • --vault-addr
  • --vault-cacert
  • --vault-capath
  • --vault-client-cert
  • --vault-client-key
  • --vault-max-retries
  • --vault-client-timeout
  • --vault-skip-verify
  • --vault-tls-server-name
  • --vault-token

For more information, see InfluxDB configuration options.

Manage secrets through the InfluxDB API

Use the InfluxDB /org/{orgID}/secrets API endpoint to add tokens to Vault. For details, see Manage secrets.


Was this page helpful?

Thank you for your feedback!


Set your InfluxDB URL

Linux Package Signing Key Rotation

All signed InfluxData Linux packages have been resigned with an updated key. If using Linux, you may need to update your package configuration to continue to download and verify InfluxData software packages.

For more information, see the Linux Package Signing Key Rotation blog post.

InfluxDB Cloud backed by InfluxDB IOx

All InfluxDB Cloud organizations created on or after January 31, 2023 are backed by the new InfluxDB IOx storage engine. Check the right column of your InfluxDB Cloud organization homepage to see which InfluxDB storage engine you’re using.

If powered by IOx, this is the correct documentation.

If powered by TSM, see the TSM-based InfluxDB Cloud documentation.

InfluxDB Cloud backed by InfluxDB TSM

All InfluxDB Cloud organizations created on or after January 31, 2023 are backed by the new InfluxDB IOx storage engine which enables nearly unlimited series cardinality and SQL query support. Check the right column of your InfluxDB Cloud organization homepage to see which InfluxDB storage engine you’re using.

If powered by TSM, this is the correct documentation.

If powered by IOx, see the IOx-based InfluxDB Cloud documentation.

State of the InfluxDB Cloud (IOx) documentation

The new documentation for InfluxDB Cloud backed by InfluxDB IOx is a work in progress. We are adding new information and content almost daily. Thank you for your patience!

If there is specific information you’re looking for, please submit a documentation issue.