open-vault/website/content/docs/plugins/index.mdx

---
layout: docs
page_title: Plugin System
description: Learn about Vault's plugin system.
---


# Plugin System

All Vault auth methods and secrets engines are considered plugins. This simple concept
allows both built-in and external plugins to be treated like Legos. Any plugin
can exist at multiple different locations. Different versions of a plugin may
be at each location, with each version differing from Vault's version.

@include 'plugin-file-permissions-check.mdx'

## Built-In Plugins

Built-in plugins are shipped with Vault, often for commonly used implementations,
and require no additional operator intervention to run. Built-in plugins are
just like any other backend code inside Vault.

To use a different or edited version of a built-in plugin, the plugin must be
run as an external plugin. See [Overriding Built-in Plugins](/docs/upgrading/plugins#overriding-built-in-plugins)
for details on how to override a built-in plugin in-place.

## External Plugins

External plugins are not shipped with Vault and require additional operator
intervention to run.

To run an external plugin, a binary of the plugin is required. Plugin
binaries can be obtained from [releases.hashicorp.com](https://releases.hashicorp.com/)
or they can be [built from source](/docs/plugins/plugin-development#building-a-plugin-from-source).

Vault's external plugins are completely separate, standalone applications that
Vault executes and communicates with over RPC. Each time a Vault secret engine
or auth method is mounted, a new process is spawned. However, database plugins
can be made to implement [plugin multiplexing](/docs/plugins/plugin-architecture#plugin-multiplexing)
which allows a single plugin process to be used for multiple database
connections.
docs/multiplexing: overhaul plugin documentation (#14509) * docs/multiplexing: overhaul plugin documentation * update nav data * remove dupe nav data * add external plugin section to index * move custom plugin backends under internals/plugins * remove ref to moved page * revert moving custom plugin backends * add building plugins from source section to plug dev * add mux section to plugin arch * add mux section to custom plugin page * reorder custom database page * use 'external plugin' where appropriate * add link to plugin multiplexing * fix example serve multiplex func call * address review comments * address review comments * Minor format updates (#14590) * mv Plugins to top-level; update upgrading plugins * update links after changing paths * add section on external plugin scaling characteristics * add updates on plugin registration in plugin management page * add plugin learn resource * be more explicit about mux upgrade steps; add notes on when to avoid db muxing * add plugin upgrade built-in section * add caveats to built-in plugin upgrade * improvements to built-in plugin override * formatting, add redirects, correct multiplexing use case * fix go-plugin link * Apply suggestions from code review Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * remove single item list; add link to Database interface Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> 2022-03-22 20:07:32 +00:00			`---`
			`layout: docs`
			`page_title: Plugin System`
			`description: Learn about Vault's plugin system.`
			`---`


			`# Plugin System`

			`All Vault auth methods and secrets engines are considered plugins. This simple concept`
			`allows both built-in and external plugins to be treated like Legos. Any plugin`
			`can exist at multiple different locations. Different versions of a plugin may`
			`be at each location, with each version differing from Vault's version.`

Vault 3992 documentation changes (#14918) * doc changes * adding config changes * adding chnages to plugins * using include * making doc changes * adding newline 2022-04-08 19:27:04 +00:00			`@include 'plugin-file-permissions-check.mdx'`

docs/multiplexing: overhaul plugin documentation (#14509) * docs/multiplexing: overhaul plugin documentation * update nav data * remove dupe nav data * add external plugin section to index * move custom plugin backends under internals/plugins * remove ref to moved page * revert moving custom plugin backends * add building plugins from source section to plug dev * add mux section to plugin arch * add mux section to custom plugin page * reorder custom database page * use 'external plugin' where appropriate * add link to plugin multiplexing * fix example serve multiplex func call * address review comments * address review comments * Minor format updates (#14590) * mv Plugins to top-level; update upgrading plugins * update links after changing paths * add section on external plugin scaling characteristics * add updates on plugin registration in plugin management page * add plugin learn resource * be more explicit about mux upgrade steps; add notes on when to avoid db muxing * add plugin upgrade built-in section * add caveats to built-in plugin upgrade * improvements to built-in plugin override * formatting, add redirects, correct multiplexing use case * fix go-plugin link * Apply suggestions from code review Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * remove single item list; add link to Database interface Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> 2022-03-22 20:07:32 +00:00			`## Built-In Plugins`

			`Built-in plugins are shipped with Vault, often for commonly used implementations,`
			`and require no additional operator intervention to run. Built-in plugins are`
			`just like any other backend code inside Vault.`

			`To use a different or edited version of a built-in plugin, the plugin must be`
			`run as an external plugin. See [Overriding Built-in Plugins](/docs/upgrading/plugins#overriding-built-in-plugins)`
			`for details on how to override a built-in plugin in-place.`

			`## External Plugins`

			`External plugins are not shipped with Vault and require additional operator`
			`intervention to run.`

			`To run an external plugin, a binary of the plugin is required. Plugin`
			`binaries can be obtained from [releases.hashicorp.com](https://releases.hashicorp.com/)`
			`or they can be [built from source](/docs/plugins/plugin-development#building-a-plugin-from-source).`

			`Vault's external plugins are completely separate, standalone applications that`
			`Vault executes and communicates with over RPC. Each time a Vault secret engine`
			`or auth method is mounted, a new process is spawned. However, database plugins`
			`can be made to implement [plugin multiplexing](/docs/plugins/plugin-architecture#plugin-multiplexing)`
			`which allows a single plugin process to be used for multiple database`
			`connections.`