steampipe plugin install theapsgroup/vaultsteampipe plugin install theapsgroup/vault

Hashicorp Vault + Turbot Steampipe

Vault is an industry-leading Secrets Management & Data Protection solution from Hashicorp.

Steampipe is an open source CLI for querying cloud APIs using SQL from Turbot

Getting Started


Download and install the latest Vault plugin:

steampipe plugin install theapsgroup/vault


  • Vault Server
  • Vault API Token


The preferred option is to use Environment Variables for configuration as the Vault Token should be rotated frequently, however you can configure in the ~./steampipe/config/vault.spc (this will take precedence).

Environment Variables (default from Hashicorp Vault):

  • VAULT_ADDR for the server address (ex:
  • VAULT_TOKEN for the API token (ex: s.f7Ea3C3ojOYE0GRLzmhSGNkE)

Configuration File:

connection "vault" {
plugin = "theapsgroup/vault"
address = ""
auth_type = "token"
token = "s.f7Ea3C3ojOYE0GRLzmhSGNkE"


Vault supports multiple authentication backends, currently token and AWS IAM are supported. Note that in line with the Vault cli behavior, if a vault token is supplied, that will be used instead of your configured authentication method.

connection "vault" {
plugin = "theapsgroup/vault"
address = ""
auth_type = "token"
token = "sometoken"
connection "vault" {
plugin = "theapsgroup/vault"
address = ""
auth_type = "aws"
aws_role = "steampipe-test-role"
aws_provider = "aws"

aws_role is the name of the role as configured in the vault AWS authentication backend.

aws_provider is the name of the access engine in vault

The vault plugin will resolve the AWS credentials in the normal AWS SDK Credentials chain order.


A quick test can be performed from your terminal with:

steampipe query "select * from vault_engine"


The following tables are available for querying, follow the links for more information.