Skip to content


There are 3 different ways that parameters can be passed along to argocd-vault-plugin.

Kubernetes Secret

You can define a Secret in the argocd namespace of your Argo CD cluster with the Vault configuration. The keys of the secret's data/stringData should be the exact names given above, case-sensitive:

apiVersion: v1
  AVP_TYPE: Zm9v
kind: Secret
  name: vault-configuration
  namespace: argocd
type: Opaque

You can use it like this: argocd-vault-plugin generate /some/path -s vault-configuration. Note: this requires the argocd-repo-server to have a service account token mounted in the standard location.

Configuration File

The configuration can be given in a file reachable from the plugin, in any Viper supported format (YAML, JSON, etc.). The keys must match the same names used in the the Kubernetes secret:

VAULT_ADDR: http://vault
AVP_TYPE: vault

You can use it like this: argocd-vault-plugin generate /some/path -c /path/to/config/file.yaml. This can be useful for use-cases not involving Argo CD.

Environment Variables

The configuration can be set via environment variables, where each key is prefixed by AVP_:

AVP_TYPE=vault # corresponds to TYPE key

Make sure that these environment variables are available to the plugin when running it, whether that is in Argo CD or as a CLI tool. Note that any set environment variables take precedence over configuration pulled from a Kubernetes Secret or a file.

Full List of Supported Parameters

We support all Vault Environment Variables listed here as well as:

Name Description Notes
AVP_TYPE The type of Vault backend Supported values: vault, ibmsecretsmanager, awssecretsmanager and gcpsecretmanager
AVP_KV_VERSION The vault secret engine Supported values: 1 and 2 (defaults to 2). KV_VERSION will be ignored if the annotation is present in a YAML resource.
AVP_AUTH_TYPE The type of authentication Supported values: vault: approle, github, k8s, token. Only honored for AVP_TYPE of vault
AVP_GITHUB_TOKEN Github token Required with AUTH_TYPE of github
AVP_ROLE_ID Vault AppRole Role_ID Required with AUTH_TYPE of approle
AVP_SECRET_ID Vault AppRole Secret_ID Required with AUTH_TYPE of approle
AVP_K8S_MOUNT_PATH Kuberentes Auth Mount PATH Optional for AUTH_TYPE of k8s defaults to auth/kubernetes
AVP_K8S_ROLE Kuberentes Auth Role Required with AUTH_TYPE of k8s
AVP_K8S_TOKEN_PATH Path to JWT for Kubernetes Auth Optional for AUTH_TYPE of k8s defaults to /var/run/secrets/
AVP_IBM_API_KEY IBM Cloud IAM API Key Required with TYPE of ibmsecretsmanager
AVP_IBM_INSTANCE_URL Endpoint URL for IBM Cloud Secrets Manager instance If absent, fall back to $VAULT_ADDR
AWS_REGION AWS Secrets Manager Region Only valid with TYPE awssecretsmanager

Full List of Supported Annotation

We support several different annotations that can be used inside a kubernetes resource. These annotations will override any corresponding configuration set via Environment Variable or Configuration File.

Annotation Description Path to the Vault Secret Boolean to tell the plugin whether or not to process the file. Invalid values translate to false Version of the KV Secret Engine Version of the secret to retrieve. Only effective on generic <placeholder>s so is required when this annotation is used Plugin will not throw error when a key is missing from Vault Secret. Only works on Secret or ConfigMap resources