Vault Secrets Plugin
The Vault Secrets plugin provides a user-friendly interface for managing secrets stored in HashiCorp Vault, with support for user and group keystores.
Overview
| Property | Value |
|---|---|
| Package | @internal/backstage-plugin-vault-secrets |
| Type | Frontend |
| Plugin ID | vault-secrets |
| Backend | vault-secrets-backend |
Architecture
Components
VaultSecretsPage
Main page for secret management.
<VaultSecretsPage />
Features:
- Tabbed navigation between user and group keystores
- Breadcrumb path navigation
- Search and filter capabilities
VaultSecretsList
Browse and list secrets at a path.
<VaultSecretsList path="/users/john.doe" onSecretSelect={handleSelect} />
Features:
- Hierarchical folder navigation
- Secret listing with metadata
- Delete and edit actions
EditSecretEditor
Edit existing secrets.
<EditSecretEditor
path="/users/john.doe/api-key"
onSave={handleSave}
onCancel={handleCancel}
/>
Features:
- Key-value pair editing
- Add/remove fields
- JSON view option
CreateSecretEditor
Create new secrets.
<CreateSecretEditor
basePath="/users/john.doe"
onSave={handleSave}
onCancel={handleCancel}
/>
Features:
- Secret name input
- Key-value pair editor
- Template selection
Keystore Structure
User Keystore
Personal secrets accessible only to the individual user.
Path Pattern: users/{username}/{secret-name}
Example:
users/john.doe/github-tokenusers/john.doe/aws-credentials
Group Keystore
Shared secrets accessible to team members.
Path Pattern: groups/{team-name}/{secret-name}
Example:
groups/platform-team/tfc-tokengroups/devops/prod-db-password
API Client
interface VaultSecretsApi {
// Health
getHealth(): Promise<VaultHealth>;
// Secret operations
listSecrets(path: string): Promise<SecretMetadata[]>;
readSecret(path: string): Promise<SecretData>;
writeSecret(path: string, data: Record<string, string>): Promise<void>;
deleteSecret(path: string): Promise<void>;
// User info
getUserInfo(): Promise<UserInfo>;
}
Access Control
Usage Examples
Storing API Keys
// Write a new API key
await vaultSecretsApi.writeSecret("users/john.doe/github-token", {
token: "ghp_xxxxxxxxxxxx",
created: new Date().toISOString(),
});
Team Shared Credentials
// Write team credentials
await vaultSecretsApi.writeSecret("groups/platform-team/gcp-service-account", {
type: "service_account",
project_id: "my-project",
private_key: "-----BEGIN PRIVATE KEY-----\n...",
client_email: "sa@my-project.iam.gserviceaccount.com",
});
Listing Secrets
// List user's secrets
const secrets = await vaultSecretsApi.listSecrets("users/john.doe");
console.log(secrets);
// [{ name: 'github-token', ... }, { name: 'aws-credentials', ... }]
Related Documentation
- Vault Secrets Backend - Backend API
- Claude Flow - Uses Vault for session secrets
- Plugins Overview