github.com/jaylevin/jenkins-library@v1.230.4/documentation/developer_hints/VaultResourceReference.md (about) 1 # The Vault ResourceRef 2 3 ## Preconditions 4 5 Parameters that have a ResourceReference of type `vaultSecret` will be looked up from Vault when all of the following things are true... 6 7 * The environment variables `PIPER_vaultAppRoleID` and `PIPER_vaultAppRoleSecretID` must both be set to the Vault AppRole role ID and to the Vault AppRole secret ID. See [Vault AppRole docs](https://www.vaultproject.io/docs/auth/approle) 8 * `vaultServerUrl` ist set in the `general` section of the configuration file. 9 * The parameter must not be set by the configuration file, as a CLI Parameter or an environment variable. Any parameter that has already been set won't be resolved via vault. 10 11 ## Lookup 12 13 ``` 14 - name: token 15 type: string 16 description: "Token used to authenticate with the Sonar Server." 17 scope: 18 - PARAMETERS 19 secret: true 20 resourceRef: 21 - type: vaultSecret 22 paths: 23 - $(vaultBasePath)/$(vaultPipelineName)/sonar 24 - $(vaultBasePath)/__group/sonar 25 ``` 26 27 With the example above piper will check whether the the `token` parameter has already been set when the config was resolved. If `token` hasn't be resolved yet we will go through every item of the `paths` array, interpolate every string by using the already resolved config and then check whether there is a secret stored at the given path. 28 29 In case we find a secret we check whether it has a field (secrets in Vault are **flat** json documents) that matches the parameters name (or one of the alias names), in the example above this would be `token`.