HashiCorp Cloud Platform
Retrieve a secret from HCP Vault Secrets
In the previous tutorial, you created a secret and learned how to authenticate with HCP Vault Secrets.
In this tutorial, you will learn how to retrieve secrets using the HCP CLI and HCP Vault Secrets API.
Prerequisites
- An existing HCP account
- Completed the previous HCP Vault Secrets tutorials
- HCP CLI
- jq
- curl (API only)
- HCP service principal with
HCP_CLIENT_ID
andHCP_CLIENT_SECRET
environment variables set
Applications, services, and workflows need to retrieve secrets so teams do not have to store secret information such as usernames and passwords, or API keys in source code.
HCP Vault Secrets provides the flexibility to use either the HCP CLI, or an API to interact with secrets.
Tip
The HCP CLI provides context aware help based on the command or subcommand in use.
Review the available secrets.
$ hcp vault-secrets secrets list Secret Name Latest Version Created At username 2 2024-06-11T13:02:55.482Z
You created he
username
secret during the Create a secret in HCP Vault Secrets tutorial.The version was incremented to
2
by changing theusername
value fromdatabase-user
todb-user
.Retrieve details about the
username
secret.$ hcp vault-secrets secrets open username Secret Name: username Latest Version: 2 Created At: 2024-06-11T13:02:55.482Z Type: kv Value: db-user
You can control the CLI output using the
--format
parameter. Use--format json
to retrieve a secret in JSON format.$ hcp vault-secrets secrets open username --format=json { "created_at": "2024-06-11T13:02:55.482Z", "latest_version": 2, "name": "username", "static_version": { "created_at": "0001-01-01T00:00:00.000Z", "value": "db-user" }, "type": "kv" }
Retrieve the
username
secret and inject the value into a process.$ hcp vault-secrets run env | grep USERNAME USERNAME=db-user
The
run
command runs theenv
command injecting all available secrets from a HCP Vault Secrets application as environment variables.Create a script named
output.sh
.$ tee output.sh <<EOF #!/bin/bash echo \$USERNAME EOF
Use the
run
subcommand to runoutput.sh
and show the secret value stored in HCP Vault Secrets.$ hcp vault-secrets run bash ./output.sh db-user
Refer to the HCP Vault Secrets documentation for a list of all available CLI commands.
Next steps
In this tutorial you learned how to retrieve a secret using the HCP Vault Secrets CLI, and API.
You can learn more about supported integrations in the HCP Vault Secrets documentation