Secrets configuration reference

This page documents the configuration for Vector’s secrets management.

Secrets allow you to securely store and reference sensitive configuration values like API keys, passwords, and tokens without exposing them in plaintext configuration files.

For other top-level configuration options, see:

  • Global Options - Global settings like data directories and timezone
  • Pipeline Components - Configure sources, transforms, sinks, and enrichment tables
  • API - Configure Vector's observability API
  • Schema - Configure Vector's internal schema system

secret

optional object
All configured secrets backends.

secret.*

required object
A secret backend.
secret.*.auth
optional object
Configuration of the authentication strategy for interacting with AWS services.
Relevant when: type = "aws_secrets_manager"
secret.*.auth.access_key_id
required string
The AWS access key ID.
Examples 
"AKIAIOSFODNN7EXAMPLE"
secret.*.auth.assume_role
required string
The ARN of an IAM role to assume.
Examples 
"arn:aws:iam::123456789098:role/my_role"
secret.*.auth.credentials_file
required string
Path to the credentials file.
Examples 
"/my/aws/credentials"
secret.*.auth.external_id
optional string
The optional unique external ID in conjunction with role to assume.
Examples 
"randomEXAMPLEidString"
secret.*.auth.imds
optional object
Configuration for authenticating with AWS through IMDS.
secret.*.auth.imds.connect_timeout_seconds optional uint
Connect timeout for IMDS.
default: 1(seconds)
secret.*.auth.imds.max_attempts optional uint
Number of IMDS retries for fetching tokens and metadata.
default: 4
secret.*.auth.imds.read_timeout_seconds optional uint
Read timeout for IMDS.
default: 1(seconds)
secret.*.auth.load_timeout_secs
optional uint

Timeout for successfully loading any credentials, in seconds.

Relevant when the default credentials chain or assume_role is used.

Examples 
30
secret.*.auth.profile
optional string

The credentials profile to use.

Used to select AWS credentials from a provided credentials file.

Examples 
"develop"
default: default
secret.*.auth.region
optional string

The AWS region to send STS requests to.

If not set, this defaults to the configured region for the service itself.

Examples 
"us-west-2"
secret.*.auth.secret_access_key
required string
The AWS secret access key.
Examples 
"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
secret.*.auth.session_name
optional string

The optional RoleSessionName is a unique session identifier for your assumed role.

Should be unique per principal or reason. If not set, the session name is autogenerated like assume-role-provider-1736428351340

Examples 
"vector-indexer-role"
secret.*.auth.session_token
optional string
The AWS session token. See AWS temporary credentials
Examples 
"AQoDYXdz...AQoDYXdz..."
secret.*.command
required [string]

Command arguments to execute.

The path to the script or binary must be the first argument.

Relevant when: type = "exec"
secret.*.endpoint
optional string
Custom endpoint for use with AWS-compatible services.
Relevant when: type = "aws_secrets_manager"
Examples 
"http://127.0.0.0:5000/path/to/service"
secret.*.path
required string
File path to read secrets from.
Relevant when: type = "file" or type = "directory"
secret.*.protocol
optional object
Settings for the protocol between Vector and the secrets executable.
Relevant when: type = "exec"
secret.*.protocol.backend_config
optional *
The configuration to pass to the secrets executable. This is the config field in the backend request. Refer to the documentation of your backend_type to see which options are required to be set.
Relevant when: version = "v1_1"
secret.*.protocol.backend_type
required string
The name of the backend. This is type field in the backend request.
Relevant when: version = "v1_1"
secret.*.protocol.version
optional string enum
The protocol version.
Enum options
OptionDescription
v1Expect the command to fetch the configuration options itself.
v1_1Configuration options to the command are to be curried upon each request.
default: v1
secret.*.region
optional string
The AWS region of the target service.
Relevant when: type = "aws_secrets_manager"
Examples 
"us-east-1"
secret.*.remove_trailing_whitespace
optional bool
Remove trailing whitespace from file contents.
Relevant when: type = "directory"
default: false
secret.*.secret_id
required string
ID of the secret to resolve.
Relevant when: type = "aws_secrets_manager"
secret.*.timeout
optional uint
The timeout, in seconds, to wait for the command to complete.
Relevant when: type = "exec"
default: 5
secret.*.tls
optional object
TLS configuration.
Relevant when: type = "aws_secrets_manager"
secret.*.tls.alpn_protocols
optional [string]

Sets the list of supported ALPN protocols.

Declare the supported ALPN protocols, which are used during negotiation with a peer. They are prioritized in the order that they are defined.

secret.*.tls.ca_file
optional string

Absolute path to an additional CA certificate file.

The certificate must be in the DER or PEM (X.509) format. Additionally, the certificate can be provided as an inline string in PEM format.

Examples 
"/path/to/certificate_authority.crt"
secret.*.tls.crt_file
optional string

Absolute path to a certificate file used to identify this server.

The certificate must be in DER, PEM (X.509), or PKCS#12 format. Additionally, the certificate can be provided as an inline string in PEM format.

If this is set and is not a PKCS#12 archive, key_file must also be set.

Examples 
"/path/to/host_certificate.crt"
secret.*.tls.key_file
optional string

Absolute path to a private key file used to identify this server.

The key must be in DER or PEM (PKCS#8) format. Additionally, the key can be provided as an inline string in PEM format.

Examples 
"/path/to/host_certificate.key"
secret.*.tls.key_pass
optional string

Passphrase used to unlock the encrypted key file.

This has no effect unless key_file is set.

Examples 
"${KEY_PASS_ENV_VAR}"
"PassWord1"
secret.*.tls.server_name
optional string

Server name to use when using Server Name Indication (SNI).

Only relevant for outgoing connections.

Examples 
"www.example.com"
secret.*.tls.verify_certificate
optional bool

Enables certificate verification. For components that create a server, this requires that the client connections have a valid client certificate. For components that initiate requests, this validates that the upstream has a valid certificate.

If enabled, certificates must not be expired and must be issued by a trusted issuer. This verification operates in a hierarchical manner, checking that the leaf certificate (the certificate presented by the client/server) is not only valid, but that the issuer of that certificate is also valid, and so on, until the verification process reaches a root certificate.

Do NOT set this to false unless you understand the risks of not verifying the validity of certificates.

secret.*.tls.verify_hostname
optional bool

Enables hostname verification.

If enabled, the hostname used to connect to the remote host must be present in the TLS certificate presented by the remote host, either as the Common Name or as an entry in the Subject Alternative Name extension.

Only relevant for outgoing connections.

Do NOT set this to false unless you understand the risks of not verifying the remote hostname.

secret.*.type
required string enum
secret type
Enum options
OptionDescription
aws_secrets_managerAWS Secrets Manager.
directoryDirectory.
execExec.
fileFile.
Sidebar