Vault logo

Backstage Vault Plugin

Created by Spread Group

Vault is a system for managing secrets and encryption keys. It controls access with identity and policy. Teams use it to store API keys, passwords, certificates, and tokens.

The Vault plugin brings that context into Backstage. It shows the names of secrets that exist under a path for the current service. From there you can open the official Vault UI to view or edit the item if your account allows it. Backstage itself only needs list permission, which keeps the portal lean and safer. The plugin can also renew its token on a schedule so reads keep working as tokens rotate.

It fits common workflows. Service owners get a quick map of where their secrets live. Platform teams can set a clear path per service so people stop hunting through folders. Security teams can confirm that entries exist without exposing values in the portal. You can point different services at different secret engines when needed. You connect a catalog entity to its Vault location with a simple annotation, which keeps the setup close to the code it protects.

Installation Instructions

These instructions apply to self-hosted Backstage only.

Install the frontend package

  1. From your Backstage root run

    Copy
    yarn --cwd packages/app add @backstage-community/plugin-vault

Add the card in a classic app

  1. Open packages/app/src/components/catalog/EntityPage.tsx

  2. Import the card

    Copy
    import { EntityVaultCard } from '@backstage-community/plugin-vault';
  3. Render the card in the overview tab

    Copy
    // packages/app/src/components/catalog/EntityPage.tsx
    
    const overviewContent = (
      <Grid container spacing={3} alignItems="stretch">
        {/* other content */}
        <Grid item md={6} xs={12}>
          <EntityVaultCard />
        </Grid>
      </Grid>
    );

Enable the plugin in the new frontend system

  1. Keep the same package install as above

  2. Open packages/app or packages/app-next then src/App.tsx

  3. Import the plugin and register it in createApp

    Copy
    // packages/app/src/App.tsx or packages/app-next/src/App.tsx
    
    import vaultPlugin from '@backstage-community/plugin-vault/alpha';
    
    export const app = createApp({
      features: [
        catalogPlugin,
        catalogImportPlugin,
        userSettingsPlugin,
        vaultPlugin,
      ],
    });

Configure Vault

  1. Open app-config.yaml

  2. Add the vault config

    Copy
    vault:
      baseUrl: http://your-vault-url
      token: ${VAULT_TOKEN}
      secretEngine: secrets # optional
      kvVersion: 2 # optional values are 1 or 2

    You can set VAULT_TOKEN in your runtime environment

Annotate catalog entities

  1. Add annotations to each entity that should show secrets

    Copy
    apiVersion: backstage.io/v1alpha1
    kind: Component
    metadata:
      name: my-service
      annotations:
        vault.io/secrets-path: test/backstage
        vault.io/secrets-engine: customSecretEngine # optional
    spec:
      type: service
      owner: team-a
      lifecycle: production

    The secrets path is relative to your secret engine folder

Optional policy for token renew

  1. If you want token renew to work add this to your Vault policy

    Copy
    # Allow tokens to renew themselves
    path "auth/token/renew-self" {
      capabilities = ["update"]
    }

Backend setup

There is no backend plugin to install for this feature. The frontend calls Vault using the config above. This applies to both the classic app and the new frontend system.

Changelog

This changelog is produced from commits made to the Vault plugin since a year ago, and based on the code located here. It may not contain information about all commits. Releases and version bumps are intentionally omitted. This changelog is generated by AI.

Breaking changes

No breaking changes

Documentation

  • Update dev environment for the Vault plugin. Add sample Vault config and a local setup guide. The script enables v1 and v2 engines. v1 is supported now. #3547 6 months ago
  • Fix a typo in the new backend example. #2487 9 months ago

Maintenance

  • Remove unused devDependency canvas. #3565 6 months ago
  • Reduce knip false positives by updating repo tools. #3018 7 months ago
  • Remove usage of the backend tasks package. #2361 9 months ago
  • Remove unused dependency backend common. #1826 11 months ago

Set up Backstage in minutes with Roadie