Documentation

InfluxDB OSS v2

Store secrets in Vault

Vault secures, stores, and controls access to tokens, passwords, certificates, and other sensitive secrets. Store sensitive secrets in Vault using InfluxDB’s built-in Vault integration.

To store secrets in Vault, complete the following steps:

  1. Start a Vault server.
  2. Provide Vault server address and token.
  3. Start InfluxDB.
  4. Manage secrets through the InfluxDB API.

Start a Vault server

Start a Vault server and ensure InfluxDB has network access to the server.

The following links provide information about running Vault in both development and production:

InfluxDB supports the Vault KV Secrets Engine Version 2 API only. When you create a secrets engine, enable the kv-v2 version by running:

vault secrets enable kv-v2
  • Copy
  • Fill window

For this example, install Vault on your local machine and start a Vault dev server.

vault server -dev
  • Copy
  • Fill window

Provide Vault server address and token

Use influxd Vault-related tags or Vault environment variables to provide connection credentials and other important Vault-related information to InfluxDB.

Required credentials

Vault address

Provide the API address of your Vault server (available in the Vault server output) using the --vault-addr flag when starting influxd or with the VAULT_ADDR environment variable.

Vault token

Provide your Vault token (required to access your Vault server) using the --vault-token flag when starting influxd or with the VAULT_TOKEN environment variable.

Your Vault server configuration may require other Vault settings.

Start InfluxDB

Start the influxd service with the --secret-store option set to vault and any other necessary flags–for example, enter the following command:

influxd --secret-store vault \
  --vault-addr=http://127.0.0.1:8200 \
  --vault-token=$VAULT_TOKEN
  • Copy
  • Fill window

influxd includes the following Vault configuration options. If set, these flags override any Vault environment variables:

  • --vault-addr
  • --vault-cacert
  • --vault-capath
  • --vault-client-cert
  • --vault-client-key
  • --vault-max-retries
  • --vault-client-timeout
  • --vault-skip-verify
  • --vault-tls-server-name
  • --vault-token

For more information, see InfluxDB configuration options.

Manage secrets through the InfluxDB API

Use the InfluxDB /org/{orgID}/secrets API endpoint to add tokens to Vault. For details, see Secrets.

secrets security

Was this page helpful?

Thank you for your feedback!

© 2025 InfluxData, Inc.

What is your InfluxDB OSS URL?

Customize your InfluxDB OSS URL and we’ll update code examples for you.

Default
Custom

For more information, see InfluxDB OSS URLs.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Read more

InfluxDB 3 Core and Enterprise are now in Beta

InfluxDB 3 Core and Enterprise are now available for beta testing, available under MIT or Apache 2 license.

InfluxDB 3 Core is a high-speed, recent-data engine that collects and processes data in real-time, while persisting it to local disk or object storage. InfluxDB 3 Enterprise is a commercial product that builds on Core’s foundation, adding high availability, read replicas, enhanced security, and data compaction for faster queries. A free tier of InfluxDB 3 Enterprise will also be available for at-home, non-commercial use for hobbyists to get the full historical time series database set of capabilities.

For more information, check out:

Ask AI