--- title: Telegraf Secret Store Plugins description: Telegraf secret store plugins provide secrets such as credentials to plugins. url: https://docs.influxdata.com/telegraf/v1/secretstore-plugins/ estimated_tokens: 963 product: Telegraf Controller version: v1 publisher: InfluxData canonical: https://docs.influxdata.com/telegraf/v1/secretstore-plugins/ date: '2026-06-11T17:00:50+02:00' lastmod: '2026-06-11T17:00:50+02:00' --- Telegraf secret store plugins provide secrets such as credentials to plugins. Secret store plugins provide secrets like usernames, passwords, or tokens to other plugins including other secret stores (for example, when retrieving secrets requires a token). Different secret store plugins retrieve secrets from different stores, including the operating system, Docker Secrets, and HashiCorp Vault. ### Docker Plugin ID: `secretstores.docker` Telegraf v1.27.0+ This plugin allows to access [Docker secrets](https://docs.docker.com/engine/swarm/secrets/) mounted by the engine during container runtime. The secrets are accessible as files under `/run/secrets` from within the container. [View](/telegraf/v1/secretstore-plugins/docker/) ### GoogleCloud Credentials Plugin ID: `secretstores.googlecloud` Telegraf v1.37.0+ This plugin allows to retrieve token-based [Google Cloud Credentials](https://docs.cloud.google.com/docs/authentication). [View](/telegraf/v1/secretstore-plugins/googlecloud/) ### HTTP Secret store Plugin ID: `secretstores.http` Telegraf v1.27.0+ This plugin allows to query secrets from an HTTP endpoint, transmitting the secrets either plain-text or in an encrypted fashion. [View](/telegraf/v1/secretstore-plugins/http/) ### Javascript Object Signing and Encryption Plugin ID: `secretstores.jose` Telegraf v1.25.0+ This plugin allows to read local secrets from files protected by the[Javascript Object Signing and Encryption](https://github.com/dvsekhvalnov/jose2go) algorithm. [View](/telegraf/v1/secretstore-plugins/jose/) ### OAuth2 Plugin ID: `secretstores.oauth2` Telegraf v1.28.0+ This plugin allows to retrieve and maintain secrets from various OAuth2 services such as [Auth0](https://auth0.com),[AzureAD](https://azure.microsoft.com/en/products/active-directory) or others (see Configuration section. Expired tokens will be renewed automatically for allowing plugins referencing those tokens to perform their API calls without hassle. > [!Note] > This plugin only supports the *2-legged client credentials* flow. [View](/telegraf/v1/secretstore-plugins/oauth2/) ### OS Plugin ID: `secretstores.os` Telegraf v1.25.0+ This plugin allows to read and manage secrets using the native Operating System keyring. For Windows this plugin uses the [credential manager](https://support.microsoft.com/windows/credential-manager-in-windows-1b5c916a-6a16-889f-8581-fc16e8165ac0), on Linux the [kernel keyring](https://docs.kernel.org/security/keys/core.html) is used and on MacOS we use the[Keychain](https://support.apple.com/guide/keychain-access/kyca1083/mac)implementation. [View](/telegraf/v1/secretstore-plugins/os/) ### Systemd Plugin ID: `secretstores.systemd` Telegraf v1.29.0+ This plugin allows utilizing credentials and secrets provided to the Telegraf service by[systemd](https://www.freedesktop.org/wiki/Software/systemd/). Systemd ensures that only the intended service can access the credentials for the lifetime of this service. The credentials appear as plaintext files to the consuming service but are stored encrypted on the host system. This encryption can also use TPM2 protection if available (see [this article](https://systemd.io/CREDENTIALS) for details). This plugin does not support setting the credentials. See the credentials management section below for how to setup systemd credentials and how to add credentials > [!Note] > This plugin requires systemd version 250+. [View](/telegraf/v1/secretstore-plugins/systemd/) ### HashiCorp Vault Plugin ID: `secretstores.vault` Telegraf v1.37.0+ This plugin allows to access secrets provided by a [HashiCorp Vault](https://www.hashicorp.com/en/products/vault) server via the Vault API. It supports authentication via a pre-obtained token or via the`AppRole` method. [View](/telegraf/v1/secretstore-plugins/vault/)