Vault is a system for managing secrets and encryption keys. It controls access with identity and policy. Teams use it to store API keys, passwords, certificates, and tokens.
The Vault plugin brings that context into Backstage. It shows the names of secrets that exist under a path for the current service. From there you can open the official Vault UI to view or edit the item if your account allows it. Backstage itself only needs list permission, which keeps the portal lean and safer. The plugin can also renew its token on a schedule so reads keep working as tokens rotate.
It fits common workflows. Service owners get a quick map of where their secrets live. Platform teams can set a clear path per service so people stop hunting through folders. Security teams can confirm that entries exist without exposing values in the portal. You can point different services at different secret engines when needed. You connect a catalog entity to its Vault location with a simple annotation, which keeps the setup close to the code it protects.
Installation Instructions
These instructions apply to self-hosted Backstage only.
Install the frontend package
-
From your Backstage root run
yarn --cwd packages/app add @backstage-community/plugin-vault
Add the card in a classic app
-
Open packages/app/src/components/catalog/EntityPage.tsx
-
Import the card
import { EntityVaultCard } from '@backstage-community/plugin-vault'; -
Render the card in the overview tab
// packages/app/src/components/catalog/EntityPage.tsx const overviewContent = ( <Grid container spacing={3} alignItems="stretch"> {/* other content */} <Grid item md={6} xs={12}> <EntityVaultCard /> </Grid> </Grid> );
Enable the plugin in the new frontend system
-
Keep the same package install as above
-
Open packages/app or packages/app-next then src/App.tsx
-
Import the plugin and register it in createApp
// packages/app/src/App.tsx or packages/app-next/src/App.tsx import vaultPlugin from '@backstage-community/plugin-vault/alpha'; export const app = createApp({ features: [ catalogPlugin, catalogImportPlugin, userSettingsPlugin, vaultPlugin, ], });
Configure Vault
-
Open app-config.yaml
-
Add the vault config
vault: baseUrl: http://your-vault-url token: ${VAULT_TOKEN} secretEngine: secrets # optional kvVersion: 2 # optional values are 1 or 2You can set VAULT_TOKEN in your runtime environment
Annotate catalog entities
-
Add annotations to each entity that should show secrets
apiVersion: backstage.io/v1alpha1 kind: Component metadata: name: my-service annotations: vault.io/secrets-path: test/backstage vault.io/secrets-engine: customSecretEngine # optional spec: type: service owner: team-a lifecycle: productionThe secrets path is relative to your secret engine folder
Optional policy for token renew
-
If you want token renew to work add this to your Vault policy
# Allow tokens to renew themselves path "auth/token/renew-self" { capabilities = ["update"] }
Backend setup
There is no backend plugin to install for this feature. The frontend calls Vault using the config above. This applies to both the classic app and the new frontend system.
Changelog
This changelog is produced from commits made to the Vault plugin since a year ago, and based on the code located here. It may not contain information about all commits. Releases and version bumps are intentionally omitted. This changelog is generated by AI.
Set up Backstage in minutes with Roadie
Focus on using Backstage, rather than building and maintaining it.