Skip to content

HCP Vault Secrets

chezmoi includes support for HCP Vault Secrets using the vlt CLI to expose data through the hcpVaultSecret and hcpVaultSecretJson template functions.

Log in using:

vlt login

The output of the vlt secrets get --plaintext $SECRET_NAME is available as the hcpVaultSecret function, for example:

{{ hcpVaultSecret "secret_name" "application_name" "project_id" "organization_id" }}

You can set the default values for the application name, project ID, and organization ID in your config file, for example:

~/.config/chezmoi/chezmoi.toml
[hcpVaultSecrets]
    organizationId = "bf479eab-a292-4b46-92df-e22f5c47eadc"
    projectId = "5907a2fa-d26a-462a-8705-74dfe967e87d"
    applicationName = "my-application"

With these default values, you can omit them in the call to hcpVaultSecret, for example:

{{ hcpVaultSecret "secret_name" }}
{{ hcpVaultSecret "other_secret_name" "other_application_name" }}

Structured data from vlt secrets get --format=json $SECRET_NAME is available as the hcpVaultSecretJson template function, for example:

{{ (hcpVaultSecretJson "secret_name").created_by.email }}

Warning

Hashicorp has announced the closure the Vault Secrets service for most customers 27 August 2025 with a recommendation of migrating to Hashicorp Vault, which is an enterprise-scale product.

These functions will be removed from chezmoi after the service is no longer available.

vlt vs hcp: Upgrades that Break

Hashicorp ended support for the vlt CLI tool in September 2024 and recommended migrating to the hcp CLI. Unfortunately, the new command does not work like vlt, rendering hcpVaultSecret and hcpVaultSecretJson inoperable when using the recommended command-line tool. Contributions to create new integrations for HCP Vault Secrets are welcome.

Without these integrations, anyone using HCP Vault Secrets that must upgrade to the hcp client are recommended to use the output and fromJson functions together:

{{- $app_name := "my-app-name" -}}
{{- $secret_name := "gdrive-secrets" -}}
{{- $secret :=
    output "hcp" "vs" "s" "open" "--format" "json" "--app" $app_name $secret_name
    | fromJson -}}
[GDrive]
type = drive
client_secret = {{ $secret.static_version.value }}

$HCP_CLIENT_ID and $HCP_CLIENT_SECRET must be set and exported for use in chezmoi for the above template to work.

See issue #4146 for more details.