---
layout: docs
page_title: Vault CSI Provider Configurations
description: This section documents the configurables for the Vault CSI Provider.
---

# Secret Class Provider Configurations

The following parameters are supported by the Vault provider:

- `roleName` `(string: "")` - Name of the role to be used during login with Vault.

- `vaultAddress` `(string: "")` - The address of the Vault server.

- `vaultNamespace` `(string: "")` - The Vault [namespace](/docs/enterprise/namespaces) to use.

- `vaultKubernetesMountPath` `(string: "kubernetes")` - The mount path of the Kubernetes authentication
  method in Vault.

- `vaultSkipTLSVerify` `(string: "false")` - When set to true, skips verification of the Vault server
  certificiate. Setting this to true is not recommended for production.

- `vaultCACertPath` `(string: "")` - The path on disk where the Vault CA certificate can be found
  when verifying the Vault server certificate.

- `vaultCADirectory` `(string: "")` - The directory on disk where the Vault CA certificate can be found
  when verifying the Vault server certificate.

- `vaultTLSClientCertPath` `(string: "")` - The path on disk where the client certificate can be found
  for mTLS communications with Vault.

- `vaultTLSClientKeyPath` `(string: "")` - The path on disk where the client key can be found
  for mTLS communications with Vault.

- `vaultTLSServerName` `(string: "")` - The name to use as the SNI host when connecting via TLS.

- `vaultKubernetesMountPath` `(string: "kubernetes")` - The name of the auth mount used for login.
  At this time only the Kubernetes auth method is supported.

- `objects` `(array)` - An array of secrets to retrieve from Vault.

  - `objectName` `(string: "")` - The alias of the object which can be referenced within the secret provider class and
  the name of the secret file.

  - `method` `(string: "GET")` - The type of HTTP request. Supported values include "GET" and "PUT".

  - `secretPath` `(string: "")` - The path in Vault where the secret is located.

  - `secretKey` `(string: "")` - The key in the Vault secret to extract. If omitted, the whole response from Vault will be written as JSON.

  - `secretArgs` `(map: {})` - Additional arguments to be sent to Vault for a specific secret. Arguments can vary
    for different secret engines. For example:

    ```yaml
    secretArgs:
      common_name: 'test.example.com'
      ttl: '24h'
    ```