logoCloudomation Docs

    Vault Integration

    Cloudomatin offers the integration of vault services.


    Cloudomation offers the integration of an HashiCorp Vault (for more information see The integration provides the user with various options to interact with this Vault service:

    • Vault Configuration: configure the accesspoint for your Vault service in Cloudomation and allows adding token per user.
    • Connections: configure which secrets will be used from your Vault service for a particular connection. When the saved connection is used, it will retrieve the respective secrets.
    • TaskVAULT: provides an interface for exhaustive interaction without your Vault (read, write, update, versioning of secrets, change secret-metadata, ...).

    Vault Configuration

    Add your Vault service to Cloudomation by providing the URL to the service. Then each user on Cloudomation can register their Vault token with Cloudomation and have access to stored secrets for their Flow Scripts. Connections will have access to the configured Vault.

    Only authenticated users with respective rights for the Vault will be able to use the secrets

    Adding a Vault Service

    Adding a Vault service is done in only few steps:

    1. On the left pane go to: Admin > Vault Configuration.
    2. Click on "New" on the top menu bar.
    3. Fill in the form:
      • A Descriptive short name for the Vault Configuration
      • The Vault URL (provided by your service)
      • Set it to be "Enabled"
      • If you have a CA certificate, enter it as well

    Attach a user vault token

    Each user in Cloudomation with access to the Vault service can add their Vault token. If that user runs a Flow Script that requires secrets from the Vault, this token is used for authentification.

    Token will be added for the user as whom you are logged in
    1. Copy your token from your Vault service
    2. On Cloudomation navigate to the respective Vault Configuration
    3. Click "Authenticate" (top menu)
    4. Paste the token in the popup window

    Token renewal

    Cloudomation offers an automatic token renewal, which can be set for each Vault Configuration. The automatic renewal is enabled by defaut. This can only be enabled by the organization's admin and be applied to all users.

    User token will be renewed if they expire within the next 2 days.

    Automatic renewal will fail if the token's Time To Live (TTL) is reached or it is not set as renewable on the Vault's side!

    Vault usage in Flow Scripts

    The following methods of Vault interaction are implemented:

    Write secrets using a vault_config record

    Within Flow Scripts it is possible to write a secret to the Vault using system.vault_config() and its write_secret method. Besides the secret (key-value pairs as Python dictionaries) also the path for the secret in the Vault must be provided. The authentification towards the Vault is done with the Vault token which is deposited on Cloudomation and for the user who runs the Flow Script.

    The following example demonstrates the usage in a Flow Script (see the public flow script library):

    import flow_api
    def handler(system: flow_api.System, this: flow_api.Execution):
    secrets_input_form = system.message(
    subject='Input for a secret with username and password',
    message_type = 'POPUP',
    'type': 'object',
    'properties': {
    'secret_1': {
    'element': 'string',
    'type': 'string',
    'label': 'Enter the secret "secret_1":',
    'order': 1,
    'secret_2': {
    'element': 'password',
    'type': 'string',
    'label': 'Enter the secret "secret_2":',
    'order': 2,
    'Ok': {
    'element': 'submit',
    'label': 'OK',
    'type': 'boolean',
    'order': 3,
    'required': [
    target_vault = '<your-vault-configuration-name>' # if None, then is iterating over all vaults in DB
    secret_path = '<your-secret-path-in-vault>'
    new_secrets = {
    "secret_1": secrets_input_form['secret_1'],
    "secret_2": secrets_input_form['secret_2'],
    my_vault = system.vault_config(target_vault)
    return this.success('all done')
    Don't provide secrets to the Flow Script coded in plain text! Rather use a Message Form and pass the user input further.

    Vault secrets in connections

    Connections in Cloudomation are not only used to connect with a service but also to configure which secrets will be fetched from a Vault.

    This is a safe way where secrets will not be stored or exposed within Cloudomation

    For every connection type Vault secrets can be attached by using the input variable vault_secrets. The secrets' paths are supplied as comma separated list (secret-path1,secret-path2), though there are two options:

    1. Only supply the path(s): the first vault configuration found on Cloudomation is used.
    2. Also specify the name of the vault configuration: <vault_config name>:<secret path>.

    To map the secrets from a Vault to the input values of the connection simply assign the string vault.secret(<key>) and use the respective key of the secret (see the example below).


    import flow_api
    def handler(system: flow_api.System, this: flow_api.Execution):
    # Create connection of type GIT and link it with vault secrets
    'secret_1': 'vault.secret(secret_1)',
    'secret_2': 'vault.secret(secret_2)',
    return this.success('all done')

    Vault Task type

    The TaskVAULT is a complete interface to the Vault's API for your Flow Scripts. Amongst others, it allows creation, reading and deleting secrets or metadata. Documentation and an example can be found at

    Secrets could become exposed within your Flow Script. Use this method with caution!

    The preferred method to fetch secrets is the use of a Connection.

    The preferred method to write secrets is the use of vault_config.write_secret() method.

    Knowledge Base — Previous
    Using Python Functionality in Flow Scripts
    Next — Knowledge Base